From 8881009b80dca51e04bf003a42bbfb1ad7b45f5f Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 27 Apr 2023 10:15:45 -0400 Subject: [PATCH 01/30] CSP Changes draft --- windows/client-management/mdm/defender-csp.md | 6 +- .../mdm/enterprisemodernappmanagement-csp.md | 140 +++++++++++++++++- .../mdm/passportforwork-csp.md | 18 +-- .../client-management/mdm/policy-csp-audit.md | 4 +- .../mdm/policy-csp-defender.md | 17 ++- .../mdm/policy-csp-deviceinstallation.md | 4 +- .../mdm/policy-csp-internetexplorer.md | 20 +-- .../mdm/policy-csp-kerberos.md | 3 +- .../mdm/policy-csp-mixedreality.md | 24 +-- .../mdm/policy-csp-privacy.md | 10 +- .../mdm/policy-csp-tenantrestrictions.md | 4 +- .../mdm/policy-csp-update.md | 38 ++--- windows/client-management/mdm/supl-csp.md | 4 +- windows/client-management/mdm/vpnv2-csp.md | 24 +-- 14 files changed, 223 insertions(+), 93 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 7550924275..4f3b9bb084 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Defender CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2481,7 +2481,7 @@ Information about the current status of the threat. The following list shows the | 7 | Removed | | 8 | Cleaned | | 9 | Allowed | -| 10 | No Status (Cleared) | +| 10 | No Status ( Cleared) | @@ -3676,7 +3676,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher -RollbackEngine action rolls back Microsoft Defender engine to its last known good saved version on the computer where you run the command. +RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 726ff88fb1..9d5ec3342a 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -4,7 +4,7 @@ description: Learn more about the EnterpriseModernAppManagement CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # EnterpriseModernAppManagement CSP + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../enterprise-app-management.md). > [!NOTE] @@ -273,6 +274,7 @@ Used to perform app installation. + This is a required node. @@ -312,6 +314,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + This is an optional node. > [!NOTE] @@ -329,6 +332,7 @@ This is an optional node. + **Example**: Here's an example for uninstalling an app: @@ -374,6 +378,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -424,6 +429,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -464,6 +470,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -504,6 +511,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -544,6 +552,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -662,6 +671,7 @@ Used to manage licenses for store apps. + This is a required node. @@ -701,6 +711,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -741,6 +752,7 @@ Command to add license. + This is a required node. @@ -780,6 +792,7 @@ Command to get license from the store. + This is a required node. @@ -936,6 +949,7 @@ Used for inventory and app management (post-install). + This is a required node. @@ -975,6 +989,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -1016,6 +1031,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -1057,6 +1073,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -1070,6 +1087,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -1108,6 +1126,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -1147,6 +1166,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -1162,6 +1182,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -1247,6 +1268,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1287,6 +1309,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -1326,6 +1349,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1405,6 +1429,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -1484,6 +1509,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -1562,6 +1588,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -1641,6 +1668,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -1683,6 +1711,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -1723,6 +1752,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -1806,6 +1836,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -1854,6 +1885,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -1909,6 +1941,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -1931,6 +1964,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -2019,6 +2053,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -2294,6 +2329,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -2332,6 +2368,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -2371,6 +2408,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -2386,6 +2424,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -2471,6 +2510,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2511,6 +2551,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -2550,6 +2591,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2629,6 +2671,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -2708,6 +2751,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -2786,6 +2830,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -2865,6 +2910,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -2907,6 +2953,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -2947,6 +2994,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -3030,6 +3078,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -3078,6 +3127,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -3133,6 +3183,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -3155,6 +3206,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -3555,6 +3607,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -3594,6 +3647,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -3675,6 +3729,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3715,6 +3770,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -3754,6 +3810,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3833,6 +3890,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -3912,6 +3970,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -3990,6 +4049,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -4069,6 +4129,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -4111,6 +4172,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -4151,6 +4213,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -4766,6 +4829,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -4814,6 +4878,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -4869,6 +4934,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -4891,6 +4957,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -5253,6 +5320,7 @@ Used to start the Windows Update scan. + This is a required node. @@ -5331,6 +5399,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -5346,6 +5415,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -5391,6 +5461,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -5441,6 +5512,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5481,6 +5553,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5521,6 +5594,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -5561,6 +5635,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -5718,6 +5793,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -5758,6 +5834,7 @@ Command to add license. + This is a required node. @@ -5797,6 +5874,7 @@ Command to get license from the store. + This is a required node. @@ -5992,6 +6070,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -6031,6 +6110,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -6072,6 +6152,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -6085,6 +6166,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -6123,6 +6205,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -6162,6 +6245,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -6177,6 +6261,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -6262,6 +6347,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6302,6 +6388,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -6341,6 +6428,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6420,6 +6508,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -6499,6 +6588,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -6577,6 +6667,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -6656,6 +6747,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -6698,6 +6790,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -6738,6 +6831,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -6821,6 +6915,7 @@ Interior node for all managed app setting values. + > [!NOTE] > This node is only supported in the user context. @@ -6861,6 +6956,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -6875,6 +6971,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -6933,6 +7030,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -6981,6 +7079,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). |Applicability Setting |CSP state |Result | @@ -7036,6 +7135,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -7311,6 +7411,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -7349,6 +7450,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -7388,6 +7490,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -7403,6 +7506,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + ```xml @@ -7484,6 +7588,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7524,6 +7629,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -7563,6 +7669,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7642,6 +7749,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -7721,6 +7829,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. @@ -7801,6 +7910,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -7880,6 +7990,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -7922,6 +8033,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -7962,6 +8074,7 @@ Registered users of the app and the package install state. If the query is at th + Requried. - Not Installed = 0 @@ -8045,6 +8158,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -8084,6 +8198,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -8098,6 +8213,7 @@ This setting only works for apps that support the feature and it's only supporte + The following example sets the value for the 'Server' ```xml @@ -8154,6 +8270,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -8202,6 +8319,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -8531,6 +8649,7 @@ Used to remove packages. + Parameters: - Package @@ -8551,6 +8670,7 @@ Parameters: + **Example**: The following example removes a package for all users: @@ -8632,6 +8752,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -8671,6 +8792,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -8686,6 +8808,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: ```xml @@ -8769,6 +8892,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8809,6 +8933,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -8848,6 +8973,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8927,6 +9053,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -9006,6 +9133,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -9084,6 +9212,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -9163,6 +9292,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -9205,6 +9335,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -9245,6 +9376,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -9328,6 +9460,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -9367,6 +9500,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -9381,6 +9515,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -9439,6 +9574,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -9487,6 +9623,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -9816,6 +9953,7 @@ Used to start the Windows Update scan. + This is a required node. diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 79728405bf..e172fe94a5 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -445,7 +445,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of digits in PIN. | -| 1 | Requires the use of at least one digit in PIN. | +| 1 | Requires the use of at least one digits in PIN. | | 2 | Does not allow the use of digits in PIN. | @@ -583,7 +583,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of lowercase letters in PIN. | -| 1 | Requires the use of at least one lowercase letter in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | | 2 | Does not allow the use of lowercase letters in PIN. | @@ -706,7 +706,7 @@ Minimum PIN length configures the minimum number of characters required for the -Use this policy setting to configure the use of special character in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . +Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. @@ -791,7 +791,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of uppercase letters in PIN. | -| 1 | Requires the use of at least one uppercase letter in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | | 2 | Does not allow the use of uppercase letters in PIN. | @@ -2027,7 +2027,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of digits in PIN. | -| 1 | Requires the use of at least one digit in PIN. | +| 1 | Requires the use of at least one digits in PIN. | | 2 | Does not allow the use of digits in PIN. | @@ -2165,7 +2165,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of lowercase letters in PIN. | -| 1 | Requires the use of at least one lowercase letter in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | | 2 | Does not allow the use of lowercase letters in PIN. | @@ -2317,7 +2317,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of special characters in PIN. | -| 1 | Requires the use of at least one special character in PIN. | +| 1 | Requires the use of at least one special characters in PIN. | | 2 | Does not allow the use of special characters in PIN. | @@ -2373,7 +2373,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of uppercase letters in PIN. | -| 1 | Requires the use of at least one uppercase letter in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | | 2 | Does not allow the use of uppercase letters in PIN. | diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 0b01016c5f..19a5889d94 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 04/14/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -843,7 +843,7 @@ Volume: Low. -This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697). +This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697). diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 1f26de308e..8643e7282a 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/27/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1885,8 +1885,8 @@ Same as Disabled. - -This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. @@ -1939,8 +1939,8 @@ This policy setting allows you specify a list of file types that should be exclu - -This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. @@ -1993,8 +1993,11 @@ This policy setting allows you to disable scheduled and real-time scanning for f - -This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index b65b65b1e4..c86a89adff 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -347,7 +347,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 92fda2c42a..d8938e641c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1428,7 +1428,7 @@ This policy allows the user to go directly to an intranet site for a one-word en | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -2080,7 +2080,7 @@ This policy setting allows you to manage whether Internet Explorer checks for di | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -3403,7 +3403,7 @@ The Home page specified on the General tab of the Internet Options dialog box is | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -3599,7 +3599,7 @@ InPrivate Browsing prevents Internet Explorer from storing data about a user's b | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -4486,7 +4486,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | @@ -4552,7 +4552,7 @@ For more information, see | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -7968,7 +7968,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -13390,7 +13390,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -16537,7 +16537,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 870386a6e5..16587b8ce0 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -242,7 +242,6 @@ This policy setting controls hash or checksum algorithms used by the Kerberos cl - "Not Supported" disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. - If you disable or do not configure this policy, each algorithm will assume the "Default" state. -More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at< https://go.microsoft.com/fwlink/?linkid=2169037>. Events generated by this configuration: 205, 206, 207, 208. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 6f83800c56..ad926281b0 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -86,7 +86,7 @@ Steps to use this policy correctly: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -136,7 +136,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -188,7 +188,7 @@ For more information on the Launcher API, see [Launcher Class (Windows.System) - | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -335,7 +335,7 @@ This policy setting controls if pressing the brightness button changes the brigh | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -386,7 +386,7 @@ For more information, see [Moving platform mode on low dynamic motion moving pla | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -491,7 +491,7 @@ The following XML string is an example of the value for this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -687,7 +687,7 @@ This policy configures behavior of HUP to determine, which algorithm to use for | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -786,7 +786,7 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -856,7 +856,7 @@ The following example XML string shows the value to enable this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -907,7 +907,7 @@ This policy configures whether the device will take the user through the eye tra | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -957,7 +957,7 @@ It skips the training experience of interactions with the hummingbird and Start | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index f4fa8a6e6a..507250a860 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2930,7 +2930,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -2990,7 +2990,7 @@ This policy setting specifies whether Windows apps can access the human presence | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3040,7 +3040,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3090,7 +3090,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index babefd000e..96f488a077 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -4,7 +4,7 @@ description: Learn more about the TenantRestrictions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 8bf785ab2e..a5d3afb700 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -826,12 +826,8 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you - -Enable this policy to specify when to receive Feature Updates. - -Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo - -Pause Updates | To prevent Feature Updates from being offered to the device, you can temporarily pause Feature Updates. This pause will remain in effect for 35 days from the specified start date or until the field is cleared. Note, Quality Updates will still be offered even if Feature Updates are paused. + +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -955,16 +951,8 @@ If you disable or do not configure this policy, Windows Update will not alter it - -Enable this policy to specify when to receive quality updates. - -You can defer receiving quality updates for up to 30 days. - -To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clear the start date field. - -To resume receiving Quality Updates which are paused, clear the start date field. - -If you disable or do not configure this policy, Windows Update will not alter its behavior. + +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -2143,9 +2131,9 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie | Value | Description | |:--|:--| -| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | -| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. | -| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. | +| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | +| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. | +| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. | | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | | 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. | | 5 | Turn off automatic updates. | @@ -3551,7 +3539,7 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie -This setting allows removal access to "Pause updates" feature. +This setting allows to remove access to "Pause updates" feature. Once enabled user access to pause updates is removed. @@ -4311,7 +4299,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4381,7 +4369,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4451,7 +4439,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4521,7 +4509,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 7594de5981..ddfda20a6b 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -4,7 +4,7 @@ description: Learn more about the SUPL CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # SUPL CSP + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -395,6 +396,7 @@ This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether t + | Location toggle setting | LocMasterSwitchDependencyNII setting | NI request processing allowed | |-------------------------|--------------------------------------|------------------------------------| | On | 0 | Yes | diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ce9204701c..84b7a6c4ec 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2838,7 +2838,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2876,7 +2876,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2915,7 +2915,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2953,7 +2953,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -3003,7 +3003,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7063,7 +7063,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7101,7 +7101,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7140,7 +7140,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7178,7 +7178,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7228,7 +7228,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7893,7 +7893,7 @@ Boolean value (true or false) for caching credentials. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.19628] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.19628] and later | From cd60fff77a3cf01c75426bd235415de88c32779b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 1 May 2023 14:40:00 -0400 Subject: [PATCH 02/30] April CSP changes --- .../client-management/mdm/bitlocker-csp.md | 63 ++- .../mdm/bitlocker-ddf-file.md | 48 +- windows/client-management/mdm/defender-csp.md | 52 ++- windows/client-management/mdm/defender-ddf.md | 41 +- .../mdm/devicepreparation-csp.md | 43 +- .../mdm/devicepreparation-ddf-file.md | 25 +- windows/client-management/mdm/dmclient-csp.md | 179 +++++++- .../mdm/dmclient-ddf-file.md | 121 ++++- windows/client-management/mdm/firewall-csp.md | 417 ++++-------------- .../mdm/firewall-ddf-file.md | 302 +++---------- .../mdm/policies-in-policy-csp-admx-backed.md | 7 +- ...in-policy-csp-supported-by-group-policy.md | 13 +- ...-in-policy-csp-supported-by-surface-hub.md | 3 +- .../policy-configuration-service-provider.md | 3 +- .../mdm/policy-csp-admx-sharedfolders.md | 4 +- .../mdm/policy-csp-devicelock.md | 161 ++----- .../client-management/mdm/policy-csp-start.md | 126 +++--- .../mdm/policy-csp-stickers.md | 4 +- .../mdm/policy-csp-textinput.md | 9 +- .../mdm/policy-csp-userrights.md | 106 ++--- .../mdm/policy-csp-webthreatdefense.md | 52 +-- .../client-management/mdm/policy-csp-wifi.md | 103 ++++- windows/client-management/mdm/reboot-csp.md | 4 +- .../client-management/mdm/reboot-ddf-file.md | 6 +- .../mdm/windowslicensing-csp.md | 345 +++++++++++---- .../mdm/windowslicensing-ddf-file.md | 195 ++++++-- 26 files changed, 1428 insertions(+), 1004 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index b34bc4709f..16889b4db0 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -21,6 +21,9 @@ ms.topic: reference > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. @@ -40,6 +43,7 @@ The following list shows the BitLocker configuration service provider nodes: - ./Device/Vendor/MSFT/BitLocker - [AllowStandardUserEncryption](#allowstandarduserencryption) + - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection) - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation) - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) @@ -149,6 +153,63 @@ To disable this policy, use the following SyncML: + +## AllowSuspensionOfBitLockerProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection +``` + + + + +This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + +> [!WARNING] +> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + +The expected values for this policy are: + +0 = Prevent BitLocker Drive Encryption protection from being suspended. +1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevent BitLocker Drive Encryption protection from being suspended. | +| 1 (Default) | This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. | + + + + + + + + ## AllowWarningForOtherDiskEncryption diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 206cf3acd1..a5b1dd75f5 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -772,6 +772,52 @@ Supported Values: String form of request ID. Example format of request ID is GUI + + AllowSuspensionOfBitLockerProtection + + + + + + + + 1 + This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + The format is integer. + The expected values for this policy are: + + 0 = Prevent BitLocker Drive Encryption protection from being suspended. + 1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + 0 + Prevent BitLocker Drive Encryption protection from being suspended. + + + 1 + This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + Status diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 4f3b9bb084..9ec146c353 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Defender CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 04/26/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -63,6 +63,7 @@ The following list shows the Defender configuration service provider nodes: - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers) - [IntelTDTEnabled](#configurationinteltdtenabled) - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) + - [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate) - [PassiveRemediation](#configurationpassiveremediation) - [PlatformUpdatesChannel](#configurationplatformupdateschannel) - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) @@ -1808,6 +1809,55 @@ Allow managed devices to update through metered connections. Default is 0 - not + +### Configuration/OobeEnableRtpAndSigUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate +``` + + + + +This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. | +| 0 (Default) | If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. | + + + + + + + + ### Configuration/PassiveRemediation diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 4a653a572d..09e0cb692e 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1920,6 +1920,45 @@ The following XML file contains the device description framework (DDF) for the D + + OobeEnableRtpAndSigUpdate + + + + + + + + 0 + This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. + + + 0 + If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. + + + + ThrottleForScheduledScanOnly diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md index e32d2c6c9a..a6be4ec54b 100644 --- a/windows/client-management/mdm/devicepreparation-csp.md +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,6 +31,7 @@ The following list shows the DevicePreparation configuration service provider no - [ClassID](#bootstrapperagentclassid) - [ExecutionContext](#bootstrapperagentexecutioncontext) - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri) + - [MdmAgentInstalled](#mdmagentinstalled) - [MDMProvider](#mdmprovider) - [Progress](#mdmproviderprogress) - [PageEnabled](#pageenabled) @@ -194,6 +195,46 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age + +## MdmAgentInstalled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled +``` + + + + +This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + + + + + + ## MDMProvider diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index c2a8a4aa4e..9d1713e298 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -286,6 +286,29 @@ The following XML file contains the device description framework (DDF) for the D + + MdmAgentInstalled + + + + + + false + This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + + + + + + + + ``` diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index bdae4f4a67..ff2a647808 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,6 +16,9 @@ ms.topic: reference # DMClient CSP +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment. @@ -37,6 +40,10 @@ The following list shows the DMClient configuration service provider nodes: - [Lock](#deviceproviderprovideridconfiglocklock) - [SecureCore](#deviceproviderprovideridconfiglocksecurecore) - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration) + - [ConfigRefresh](#deviceproviderprovideridconfigrefresh) + - [Cadence](#deviceproviderprovideridconfigrefreshcadence) + - [Enabled](#deviceproviderprovideridconfigrefreshenabled) + - [PausePeriod](#deviceproviderprovideridconfigrefreshpauseperiod) - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage) - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext) - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref) @@ -624,6 +631,176 @@ This node, when it is set, tells the client to set how many minutes the device s + +#### Device/Provider/{ProviderID}/ConfigRefresh + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh +``` + + + + +Parent node for ConfigRefresh nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Cadence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence +``` + + + + +This node determines the number of minutes between refreshes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[30-1440]` | +| Default Value | 90 | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Enabled +``` + + + + +This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | ConfigRefresh is enabled. | +| false (Default) | ConfigRefresh is disabled. | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod +``` + + + + +This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1440]` | +| Default Value | 0 | + + + + + + + + #### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index b5ef6feff0..4de7f3bf11 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2947,6 +2947,125 @@ The following XML file contains the device description framework (DDF) for the D + + ConfigRefresh + + + + + + + Parent node for ConfigRefresh nodes + + + + + + + + + + + + + + 99.9.99999 + 1.6 + + + + Enabled + + + + + + + + false + This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + + + + + + + + + true + ConfigRefresh is enabled. + + + false + ConfigRefresh is disabled. + + + LastWrite + + + + Cadence + + + + + + + + 90 + This node determines the number of minutes between refreshes. + + + + + + + + + + + + + + [30-1440] + + + + + PausePeriod + + + + + + + + 0 + This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + + + + + + + + [0-1440] + + + + diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index c5b31e1372..dd6206ae17 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,9 +16,6 @@ ms.topic: reference # Firewall CSP -> [!IMPORTANT] -> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. - The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. @@ -99,11 +96,11 @@ The following list shows the Firewall configuration service provider nodes: - [HyperVFirewallRules](#mdmstorehypervfirewallrules) - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename) - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction) - - [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype) - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection) - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled) - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges) - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges) + - [Name](#mdmstorehypervfirewallrulesfirewallrulenamename) - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority) - [Profiles](#mdmstorehypervfirewallrulesfirewallrulenameprofiles) - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol) @@ -111,12 +108,6 @@ The following list shows the Firewall configuration service provider nodes: - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges) - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus) - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid) - - [HyperVLoopbackRules](#mdmstorehypervloopbackrules) - - [{RuleName}](#mdmstorehypervloopbackrulesrulename) - - [DestinationVMCreatorId](#mdmstorehypervloopbackrulesrulenamedestinationvmcreatorid) - - [Enabled](#mdmstorehypervloopbackrulesrulenameenabled) - - [PortRanges](#mdmstorehypervloopbackrulesrulenameportranges) - - [SourceVMCreatorId](#mdmstorehypervloopbackrulesrulenamesourcevmcreatorid) - [HyperVVMSettings](#mdmstorehypervvmsettings) - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid) - [AllowHostPolicyMerge](#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge) @@ -1791,7 +1782,7 @@ Specifies the description of the rule. -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -1935,7 +1926,7 @@ If not specified - a new rule is disabled by default. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -2087,6 +2078,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -2166,7 +2158,8 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - + +Specifies the friendly name of the firewall rule. @@ -2194,7 +2187,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 22H2 [10.0.19045.2913] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1880] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1635] and later | @@ -2205,7 +2198,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. -Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". +Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -2431,6 +2424,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -3122,7 +3116,9 @@ Unique alpha numeric identifier for the rule. The rule name must not include a f -Specifies the action for the rule. +Specifies the action the rule enforces: +0 - Block +1 - Allow. @@ -3132,68 +3128,27 @@ Specifies the action for the rule. **Description framework properties**: -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type -``` - - - - -Specifies the action the rule enforces: -0 - Block -1 - Allow. - - - - - - - -**Description framework properties**: - | Property name | Property value | |:--|:--| | Format | int | | Access Type | Get, Replace | | Default Value | 1 | - + - + **Allowed values**: | Value | Description | |:--|:--| | 0 | Block. | | 1 (Default) | Allow. | - + - + - + - + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction @@ -3212,7 +3167,7 @@ Specifies the action the rule enforces: -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -3385,6 +3340,45 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name +``` + + + + +Specifies the friendly name of the Hyper-V Firewall rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority @@ -3402,7 +3396,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the -0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. +This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -3416,7 +3410,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-255]` | +| Allowed Values | Range: `[0-65535]` | @@ -3679,255 +3673,6 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G - -### MdmStore/HyperVLoopbackRules - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules -``` - - - - -A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -#### MdmStore/HyperVLoopbackRules/{RuleName} - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName} -``` - - - - -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Add, Delete, Get, Replace | -| Atomic Required | True | -| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | -| Allowed Values | Regular Expression: `^[^|/]*$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/Enabled - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/Enabled -``` - - - - -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | bool | -| Access Type | Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disabled. | -| 1 | Enabled. | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges -``` - - - - -Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `^[0-9,-]+$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - ### MdmStore/HyperVVMSettings @@ -4026,7 +3771,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID. -This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. +This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -4075,7 +3820,7 @@ This value is used as an on/off switch. If this value is true, applicable host f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4125,7 +3870,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4213,7 +3958,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4263,7 +4008,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4313,7 +4058,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4363,7 +4108,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4412,7 +4157,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4434,8 +4179,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | @@ -4548,7 +4293,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4598,7 +4343,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4648,7 +4393,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4698,7 +4443,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4785,7 +4530,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4835,7 +4580,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4885,7 +4630,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4935,7 +4680,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4957,8 +4702,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 4eb6ee5f96..6fd0b6982d 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2871,11 +2871,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2918,7 +2918,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2964,7 +2964,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3012,7 +3012,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. + This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -3063,7 +3063,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3096,7 +3096,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3126,7 +3126,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3142,7 +3142,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3172,7 +3172,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3187,7 +3187,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3217,7 +3217,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3252,7 +3252,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3285,7 +3285,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3315,7 +3315,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3331,7 +3331,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3361,7 +3361,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3376,7 +3376,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3406,7 +3406,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3441,7 +3441,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3457,11 +3457,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -3474,7 +3474,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3504,7 +3504,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3520,7 +3520,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3550,7 +3550,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3565,7 +3565,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3595,7 +3595,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3818,7 +3818,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3846,7 +3849,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3878,6 +3884,8 @@ ServiceName String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma. To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code. The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid. + + When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP). @@ -3892,7 +3900,7 @@ ServiceName - 10.0.19043 + 10.0.20348 1.0 @@ -3909,7 +3917,7 @@ ServiceName - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4172,7 +4180,7 @@ If not specified - a new rule is disabled by default. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4328,7 +4336,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". + Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -4342,7 +4350,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 99.9.99999 + 10.0.19045.2913, 10.0.22621.1635, 10.0.22000.1880 1.1 @@ -4380,6 +4388,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. + Specifies the friendly name of the firewall rule. @@ -4457,7 +4466,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. + This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -4471,7 +4480,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - [0-255] + [0-65535] @@ -4483,7 +4492,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4577,7 +4586,7 @@ If not specified the detault is OUT. - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4695,10 +4704,14 @@ An IPv6 address range in the format of "start address - end address" with no spa + - Specifies the action for the rule. + 1 + Specifies the action the rule enforces: +0 - Block +1 - Allow - + @@ -4707,44 +4720,19 @@ An IPv6 address range in the format of "start address - end address" with no spa - + + + + 0 + Block + + + 1 + Allow + + - - Type - - - - - - 1 - Specifies the action the rule enforces: -0 - Block -1 - Allow - - - - - - - - - - - - - - - 0 - Block - - - 1 - Allow - - - - Enabled @@ -4785,7 +4773,7 @@ If not specified - a new rule is disabled by default. - Provides information about the specific verrsion of the rule in deployment for monitoring purposes. + Provides information about the specific version of the rule in deployment for monitoring purposes. @@ -4840,62 +4828,8 @@ If not specified - a new rule is disabled by default. - - - - HyperVLoopbackRules - - - - - A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - - - - - - - - - - - - - - - - - - Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - - - - RuleName - - - - - - - - ^[^|/]*$ - - - - SourceVMCreatorId + Name @@ -4903,12 +4837,12 @@ If not specified - a new rule is disabled by default. - This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. + Specifies the friendly name of the Hyper-V Firewall rule. - + @@ -4916,96 +4850,6 @@ If not specified - a new rule is disabled by default. - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - DestinationVMCreatorId - - - - - - - - This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - - - - - - - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - PortRanges - - - - - - - - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - - - - - - - - ^[0-9,-]+$ - - - - - - Enabled - - - - - - Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - - - - - - - - - 0 - Disabled - - - 1 - Enabled - - diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 08332c2601..bec6c70554 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2350,6 +2350,11 @@ This article lists the ADMX-backed policies in Policy CSP. - [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md) - [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md) +## FileSystem + +- [EnableDevDrive](policy-csp-filesystem.md) +- [DevDriveAttachPolicy](policy-csp-filesystem.md) + ## InternetExplorer - [AddSearchProvider](policy-csp-internetexplorer.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 6aba70d787..f9aa11914a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -340,9 +340,6 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [ClearTextPassword](policy-csp-devicelock.md) - [PasswordComplexity](policy-csp-devicelock.md) - [PasswordHistorySize](policy-csp-devicelock.md) -- [AccountLockoutThreshold](policy-csp-devicelock.md) -- [AccountLockoutDuration](policy-csp-devicelock.md) -- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md) - [AllowAdministratorLockout](policy-csp-devicelock.md) ## Display @@ -689,7 +686,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) - [DisableControlCenter](policy-csp-start.md) - [ForceStartSize](policy-csp-start.md) @@ -700,7 +697,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [SimplifyQuickSettings](policy-csp-start.md) - [DisableEditingQuickSettings](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) @@ -884,7 +881,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [DenyLogOnAsBatchJob](policy-csp-userrights.md) - [LogOnAsService](policy-csp-userrights.md) - [IncreaseProcessWorkingSet](policy-csp-userrights.md) -- [DenyServiceLogonRight](policy-csp-userrights.md) +- [DenyLogOnAsService](policy-csp-userrights.md) ## VirtualizationBasedTechnology @@ -897,7 +894,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [NotifyMalicious](policy-csp-webthreatdefense.md) - [NotifyPasswordReuse](policy-csp-webthreatdefense.md) - [NotifyUnsafeApp](policy-csp-webthreatdefense.md) -- [CaptureThreatWindow](policy-csp-webthreatdefense.md) +- [AutomaticDataCollection](policy-csp-webthreatdefense.md) ## Wifi diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index e17a1d7e53..4be961a69f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -257,6 +257,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac ## Start +- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites) - [StartLayout](policy-csp-start.md#startlayout) ## System diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1eba8fd662..23bf0f8152 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4,7 +4,7 @@ description: Learn more about the Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1120,6 +1120,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [ExploitGuard](policy-csp-exploitguard.md) - [FederatedAuthentication](policy-csp-federatedauthentication.md) - [FileExplorer](policy-csp-fileexplorer.md) +- [FileSystem](policy-csp-filesystem.md) - [Games](policy-csp-games.md) - [Handwriting](policy-csp-handwriting.md) - [HumanPresence](policy-csp-humanpresence.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index fbc5c518ac..5c5b42532a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 69a26fb46f..80e5d67f50 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -30,105 +30,44 @@ ms.topic: reference > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). - -## AccountLockoutDuration + +## AccountLockoutPolicy - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutDuration +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy ``` - + - + -Account lockout duration This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - +Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| -| Format | int | +| Format | chr (string) | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-99999]` | -| Default Value | 0 | - + - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout duration | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - + - + - - - -## AccountLockoutThreshold - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutThreshold -``` - - - - -Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-10]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout threshold | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - + ## AllowAdministratorLockout @@ -162,7 +101,7 @@ Allow Administrator account lockout This security setting determines whether the | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-1]` | -| Default Value | 0 | +| Default Value | 1 | @@ -1165,11 +1104,11 @@ Complexity requirements are enforced when passwords are changed or created. -Minimum password length -This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. +Enforce password history +This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Default: 24 on domain controllers. 0 on stand-alone servers. > [!NOTE] -> By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. +> By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age. @@ -1184,7 +1123,7 @@ This security setting determines the least number of characters that a password | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-24]` | -| Default Value | 7 | +| Default Value | 24 | @@ -1192,7 +1131,7 @@ This security setting determines the least number of characters that a password | Name | Value | |:--|:--| -| Name | Minimum password length | +| Name | Enforce password history | | Path | Windows Settings > Security Settings > Account Policies > Password Policy | @@ -1322,56 +1261,6 @@ If you enable this setting, users will no longer be able to modify slide show se - -## ResetAccountLockoutCounterAfter - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/ResetAccountLockoutCounterAfter -``` - - - - -Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[1-99999]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Reset account lockout counter after | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - - ## ScreenTimeoutWhileLocked diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 19a927a634..040fb1fed2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1424,6 +1424,68 @@ To validate this policy, do the following steps: + +## HideRecommendedPersonalizedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + + + + +This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Personalized Website Recommendations shown. | +| 1 | Personalized Website Recommendations hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecommendedPersonalizedSites | +| Path | StartMenu > AT > StartMenu | + + + + + + + + ## HideRecommendedSection @@ -1493,68 +1555,6 @@ If you enable this policy setting, the Start Menu will no longer show the sectio - -## HideRecoPersonalizedSites - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | - - - -```User -./User/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - - - - -This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Personalized Website Recommendations shown. | -| 1 | Personalized Website Recommendations hidden. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | HideRecoPersonalizedSites | -| Path | StartMenu > AT > StartMenu | - - - - - - - - ## HideRestart diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md index c977508f6e..d57c186ddb 100644 --- a/windows/client-management/mdm/policy-csp-stickers.md +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -4,7 +4,7 @@ description: Learn more about the Stickers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -26,7 +26,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 4d0a66c573..7832fbfb73 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -4,7 +4,7 @@ description: Learn more about the TextInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -949,7 +949,7 @@ This Policy setting applies only to Microsoft Traditional Chinese IME. -This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. This policy corresponds to Show the touch keyboard when not in tablet mode and there's no keyboard attached in the Settings app. +This policy allows the IT admin to control whether the touch keyboard should show up on tapping an edit control. By default, when you tap a textbox, the touch keyboard automatically shows up when there's no keyboard attached. When this policy is enabled, the touch keyboard can be shown or suppressed regardless of the hardware keyboard availability. This policy corresponds to Show the touch keyboard setting in the Settings app. @@ -971,8 +971,9 @@ This policy allows the IT admin to enable the touch keyboard to automatically sh | Value | Description | |:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | +| 0 (Default) | Never. | +| 1 | When no keyboard attached. | +| 2 | Always. | diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 113eac5d6c..d901a34a02 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -980,6 +980,58 @@ This security setting determines which accounts are prevented from being able to + +## DenyLogOnAsService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLogOnAsService +``` + + + + +Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. + +> [!NOTE] +> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Deny log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + ## DenyRemoteDesktopServicesLogOn @@ -1029,58 +1081,6 @@ This user right determines which users and groups are prohibited from logging on - -## DenyServiceLogonRight - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/UserRights/DenyServiceLogonRight -``` - - - - -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. - -> [!NOTE] -> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | List (Delimiter: `0xF000`) | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Deny log on as a service | -| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | - - - - - - - - ## EnableDelegation diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index 3f32d7c225..d92837b542 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -25,63 +25,63 @@ ms.topic: reference > In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category. - -## CaptureThreatWindow + +## AutomaticDataCollection - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/CaptureThreatWindow +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection ``` - + - + -Configures Enhanced Phishing Protection notifications to allow to capture the suspicious window on client machines for further threat analysis. - +Automatically collect website or app content when additional analysis is needed to help identify security threats. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - +| Default Value | 0 | + - + **Allowed values**: | Value | Description | |:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | - +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | CaptureThreatWindow | +| Name | AutomaticDataCollection | | Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense | - + - + - + - + ## NotifyMalicious diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5eb3b2dd3e..e538a7928c 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -4,7 +4,7 @@ description: Learn more about the Wifi Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -228,6 +228,105 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. + +## AllowWFAQosManagementDSCPToUPMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementDSCPToUPMapping +``` + + + + +Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-Fi Alliance QOS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | DSCP to UP Mapping will be disabled. | +| 1 | DSCP to UP Mapping will be enabled. | +| 2 (Default) | DSCP to UP Mapping will be enabled only if it is enabled in the network profile. | + + + + + + + + + +## AllowWFAQosManagementMSCS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementMSCS +``` + + + + +Allow or disallow the device to automatically request to enable Mirrored Stream Classification Service when connecting to a MSCS capable network. This is a Quality of Service feature associated with Wi-Fi Alliance QoS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device will not automatically request to enable MSCS when connecting to a MSCS capable network. | +| 1 (Default) | The device will automatically request to enable MSCS when connecting to a MSCS capable network. | + + + + + + + + ## AllowWiFi @@ -245,7 +344,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. -This policy has been deprecated. +Allow or disallow WiFi connection. diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 04eabb0246..32c31c0461 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Reboot CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -194,7 +194,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 98866efffa..7771d079d3 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -170,6 +170,10 @@ The following XML file contains the device description framework (DDF) for the R + + 10.0.22621 + 1.0 + diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index da4d51d70b..8c55c2fd8e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -28,12 +28,10 @@ The following list shows the WindowsLicensing configuration service provider nod - [ChangeProductKey](#changeproductkey) - [CheckApplicability](#checkapplicability) - [DeviceLicensingService](#devicelicensingservice) - - [AcquireDeviceLicense](#devicelicensingserviceacquiredevicelicense) - [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror) - [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription) - [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus) - [LicenseType](#devicelicensingservicelicensetype) - - [RemoveDeviceLicense](#devicelicensingserviceremovedevicelicense) - [Edition](#edition) - [LicenseKeyType](#licensekeytype) - [SMode](#smode) @@ -45,6 +43,12 @@ The following list shows the WindowsLicensing configuration service provider nod - [{SubscriptionId}](#subscriptionssubscriptionid) - [Name](#subscriptionssubscriptionidname) - [Status](#subscriptionssubscriptionidstatus) + - [DisableSubscription](#subscriptionsdisablesubscription) + - [RemoveSubscription](#subscriptionsremovesubscription) + - [SubscriptionLastError](#subscriptionssubscriptionlasterror) + - [SubscriptionLastErrorDescription](#subscriptionssubscriptionlasterrordescription) + - [SubscriptionStatus](#subscriptionssubscriptionstatus) + - [SubscriptionType](#subscriptionssubscriptiontype) - [UpgradeEditionWithLicense](#upgradeeditionwithlicense) - [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) @@ -167,7 +171,8 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - + +Device Based Subscription. @@ -189,45 +194,6 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - -### DeviceLicensingService/AcquireDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/AcquireDeviceLicense -``` - - - - -Acquire and Refresh Device License. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ### DeviceLicensingService/DeviceLicensingLastError @@ -375,7 +341,7 @@ License Type: User Based Subscription or Device Based Subscription. | Property name | Property value | |:--|:--| | Format | int | -| Access Type | Add, Delete, Get, Replace | +| Access Type | Get, Replace | @@ -393,45 +359,6 @@ License Type: User Based Subscription or Device Based Subscription. - -### DeviceLicensingService/RemoveDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/RemoveDeviceLicense -``` - - - - -Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ## Edition @@ -1064,6 +991,258 @@ Returns the status of the subscription. + +### Subscriptions/DisableSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/DisableSubscription +``` + + + + +Disable or Enable subscription activation on a device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enable Subscription. | +| 1 | Disable Subscription. It also removes any existing subscription on the device. | + + + + + + + + + +### Subscriptions/RemoveSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/RemoveSubscription +``` + + + + +Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +### Subscriptions/SubscriptionLastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastError +``` + + + + +Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionLastErrorDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastErrorDescription +``` + + + + +Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionStatus +``` + + + + +Status of last subscription operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionType +``` + + + + +Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | User Based Subscription. | +| 1 | Device Based Subscription. | + + + + + + + + ## UpgradeEditionWithLicense diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index ad27537130..b5e14bb5ec 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -322,6 +322,153 @@ The following XML file contains the device description framework (DDF) for the W + + SubscriptionType + + + + + + Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + + + + + + + + + 0 + User Based Subscription + + + 1 + Device Based Subscription + + + + + + SubscriptionStatus + + + + + Status of last subscription operation. + + + + + + + + + + + + + + + + SubscriptionLastError + + + + + Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + + + + + + + + + + SubscriptionLastErrorDescription + + + + + Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + + + + + + + + + + DisableSubscription + + + + + Disable or Enable subscription activation on a device + + + + + + + + + + + + + + + 0 + Enable Subscription + + + 1 + Disable Subscription. It also removes any existing subscription on the device. + + + + + + RemoveSubscription + + + + + Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + + + + + + + + SMode @@ -439,7 +586,7 @@ The following XML file contains the device description framework (DDF) for the W - Insert Description Here + Device Based Subscription @@ -461,8 +608,6 @@ The following XML file contains the device description framework (DDF) for the W LicenseType - - @@ -554,48 +699,6 @@ The following XML file contains the device description framework (DDF) for the W - - AcquireDeviceLicense - - - - - Acquire and Refresh Device License. Does not reboot. - - - - - - - - - - - - - - - - RemoveDeviceLicense - - - - - Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - - - - - - - - From 51f77de0987ae19fd3ddf37b69637833a021db90 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 1 May 2023 15:08:22 -0400 Subject: [PATCH 03/30] Remove FileSystem --- .../mdm/policies-in-policy-csp-admx-backed.md | 5 ----- .../mdm/policy-configuration-service-provider.md | 1 - 2 files changed, 6 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index bec6c70554..404381b85a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -2350,11 +2350,6 @@ This article lists the ADMX-backed policies in Policy CSP. - [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md) - [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md) -## FileSystem - -- [EnableDevDrive](policy-csp-filesystem.md) -- [DevDriveAttachPolicy](policy-csp-filesystem.md) - ## InternetExplorer - [AddSearchProvider](policy-csp-internetexplorer.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 23bf0f8152..1fc1424bc4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1120,7 +1120,6 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [ExploitGuard](policy-csp-exploitguard.md) - [FederatedAuthentication](policy-csp-federatedauthentication.md) - [FileExplorer](policy-csp-fileexplorer.md) -- [FileSystem](policy-csp-filesystem.md) - [Games](policy-csp-games.md) - [Handwriting](policy-csp-handwriting.md) - [HumanPresence](policy-csp-humanpresence.md) From 76278e9d2ae5e5da019d5c8dada4f000357cb0ed Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 1 May 2023 18:58:36 -0400 Subject: [PATCH 04/30] Remove ignored nodes from DDF xml --- .../mdm/personaldataencryption-ddf-file.md | 184 +----------------- .../mdm/surfacehub-ddf-file.md | 98 +--------- 2 files changed, 2 insertions(+), 280 deletions(-) diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index b5425cab46..1d5d233812 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -83,128 +83,6 @@ The following XML file contains the device description framework (DDF) for the P - - ProtectFolders - - - - - - - - - - - - - - - - - - - ProtectDocuments - - - - - - - - Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectDesktop - - - - - - - - Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectPictures - - - - - - - - Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - Status @@ -245,66 +123,6 @@ The following XML file contains the device description framework (DDF) for the P - - FolderProtectionStatus - - - - - This node reports folder protection status for a user. - - - - - - - - - - - - - - - 0 - Protection not started. - - - 1 - Protection is completed with no failures. - - - 2 - Protection in progress. - - - 3 - Protection failed. - - - - - - FoldersProtected - - - - - This node reports all folders (full path to each folder) that have been protected. - - - - - - - - - - - - - - diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 16e2b4acd8..5437172618 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -50,102 +50,6 @@ The following XML file contains the device description framework (DDF) for the S 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; - - AutopilotSelfdeploy - - - - - Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time. - - - - - - - - - - - - - - - - - - UserPrincipalName - - - - - - User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - - Password - - - - - - Password for the device account. Get is allowed here, but will always return a blank. - - - - - - - - - - - - - - - - - - FriendlyName - - - - - - The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - DeviceAccount From 442636a641eca5a1298fe8f4d93f5b930ae18c46 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 4 May 2023 17:47:07 -0600 Subject: [PATCH 05/30] Update wufb-reports-do.md The sample was missing the null-terminator, which is required. --- windows/deployment/update/wufb-reports-do.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 580d459ff8..9c2455ffd2 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -92,7 +92,7 @@ There are several calculated values that appear on the Delivery Optimization rep In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: ```powershell -$text = "" ; +$text = "`0"; (the null-terminator (`0) must be included in the string hash) $hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" ``` From 59cffdf58cfce98e9cfee516bbeef6d4a4e480b7 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 May 2023 01:28:19 -0500 Subject: [PATCH 06/30] More changes --- ...utopatch-groups-manage-autopatch-groups.md | 49 +++++++++++++++++-- ...s-manage-windows-feature-update-release.md | 2 +- 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index e1c138aaca..64da09bf0a 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 05/03/2023 +ms.date: 05/05/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -46,7 +46,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Windows Autopatch – Ring2 - Windows Autopatch – Ring3 - Windows Autopatch – Last -- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. +- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups. - For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership. - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: - Read device attributes to successfully register devices. @@ -123,7 +123,11 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu > [!CAUTION] > You can’t delete a Custom Autopatch group when it’s being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. -## Manage device conflict scenarios when Autopatch groups +## Manage device conflict scenarios when using Autopatch groups + +> [!IMPORTANT] +> The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. +> See Known issues for more details on what's currently available and what's coming next for this scenario. Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. @@ -171,3 +175,42 @@ When you create or edit the Custom or Default Autopatch group, Windows Autopatch #### Device conflict post device registration Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](#manage-device-conflict-scenarios-when-autopatch-groups) section even after devices were successfully registered with the service. + +## Known issues +This section lists recent known issues with Autopatch groups during its public preview. + +### Device conflict scenarios when using Autopatch groups +- **Status: Active** +- **Date: 05/05/2023** + +The Windows Autopatch team is aware that all device conflict scenarios listed below are only being currently evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post device registration. The device conflict scenarios are: + +- Default to custom AG device conflict detection and resolution. +- Device conflict detection and resolution within an Autopatch group. +- Custom to custom Autopatch group device conflict detection. + +The Windows Autopatch team is currently developing detection and resolution for the device conflict scenarios above, and plan to make them available in production still during the public preview timeframe. + +### Autopatch group Azure AD group remediator +- **Status: Active** +- **Date: 05/05/2023** + +The Windows Autopatch team is aware that the Windows Autopatch service is not automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. This means that if deleted or renamed, the following Azure AD groups that belong to the default Autopatch group and other Azure AD groups that get created with custom Autopatch groups will not be automatically remediated on your behalf yet: + +- Windows Autopatch – Test +- Windows Autopatch – Ring1 +- Windows Autopatch – Ring2 +- Windows Autopatch – Ring3 +- Windows Autopatch – Last + +The Windows Autopatch team is currently developing the Autopatch group Azure AD group remediator feature and plan to make it available in production still during the public preview timeframe. + +> [!NOTE] +> The Autopatch group remediator will not cover remediation of the service-based deployment rings: +> +> - Modern Workplace Devices-Windows Autopatch-Test +> - Modern Workplace Devices-Windows Autopatch-First +> - Modern Workplace Devices-Windows Autopatch-Fast +> - Modern Workplace Devices-Windows Autopatch-Broad +> +> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. See [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies) for more information. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md index 5552fe0c6d..fab7bbabbc 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -1,7 +1,7 @@ --- title: Manage Windows feature update releases description: This article explains how you can manage Windows feature updates with Autopatch groups -ms.date: 05/01/2023 +ms.date: 05/05/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual From 532bc740aabc4dda58c976ded2176b4d90624b8f Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 May 2023 01:37:18 -0500 Subject: [PATCH 07/30] More changes --- .../windows-autopatch-groups-manage-autopatch-groups.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 64da09bf0a..989650e09e 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -127,7 +127,7 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu > [!IMPORTANT] > The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. -> See Known issues for more details on what's currently available and what's coming next for this scenario. +> See [Known issues](#known-issues) for more details on what to expect for this scenario during the public preview. Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. @@ -181,7 +181,6 @@ This section lists recent known issues with Autopatch groups during its public p ### Device conflict scenarios when using Autopatch groups - **Status: Active** -- **Date: 05/05/2023** The Windows Autopatch team is aware that all device conflict scenarios listed below are only being currently evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post device registration. The device conflict scenarios are: @@ -193,7 +192,6 @@ The Windows Autopatch team is currently developing detection and resolution for ### Autopatch group Azure AD group remediator - **Status: Active** -- **Date: 05/05/2023** The Windows Autopatch team is aware that the Windows Autopatch service is not automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. This means that if deleted or renamed, the following Azure AD groups that belong to the default Autopatch group and other Azure AD groups that get created with custom Autopatch groups will not be automatically remediated on your behalf yet: From 815be4340f827aa62ed5450c43aa73e42e31a2de Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 May 2023 01:45:54 -0500 Subject: [PATCH 08/30] More changes --- .../deploy/windows-autopatch-groups-manage-autopatch-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 989650e09e..9928029705 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -47,7 +47,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Windows Autopatch – Ring3 - Windows Autopatch – Last - Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups. - - For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership. + - For more information, see [assign an owner or member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Azure AD groups. - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: - Read device attributes to successfully register devices. - Manage all configurations related to the operation of the service. From d8b1ea7df8601cd71c977054773a940d8ad928ff Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 May 2023 01:47:55 -0500 Subject: [PATCH 09/30] More changes --- .../deploy/windows-autopatch-groups-manage-autopatch-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 9928029705..e0f6384c21 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -211,4 +211,4 @@ The Windows Autopatch team is currently developing the Autopatch group Azure AD > - Modern Workplace Devices-Windows Autopatch-Fast > - Modern Workplace Devices-Windows Autopatch-Broad > -> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. See [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies) for more information. +> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. See [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups) for more information. From 6df9a82894afbdcc91487e998bf4c427c330dcc6 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 May 2023 08:16:02 -0700 Subject: [PATCH 10/30] Update windows-autopatch-groups-manage-autopatch-groups.md --- ...utopatch-groups-manage-autopatch-groups.md | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index e0f6384c21..f92ad1edb8 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -127,7 +127,7 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu > [!IMPORTANT] > The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. -> See [Known issues](#known-issues) for more details on what to expect for this scenario during the public preview. +> Fore more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. @@ -174,26 +174,25 @@ When you create or edit the Custom or Default Autopatch group, Windows Autopatch #### Device conflict post device registration -Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](#manage-device-conflict-scenarios-when-autopatch-groups) section even after devices were successfully registered with the service. +Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../deploy/windows-autopatch-groups-.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service. ## Known issues + This section lists recent known issues with Autopatch groups during its public preview. ### Device conflict scenarios when using Autopatch groups - **Status: Active** -The Windows Autopatch team is aware that all device conflict scenarios listed below are only being currently evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post device registration. The device conflict scenarios are: +The Windows Autopatch team is aware that all device conflict scenarios listed below are currently being evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post-device registration. The Windows Autopatch team is currently developing detection and resolution for the followin device conflict scenarios, and plan to make them available during public preview. -- Default to custom AG device conflict detection and resolution. +- Default to Custom Autopatch device conflict detection and resolution. - Device conflict detection and resolution within an Autopatch group. -- Custom to custom Autopatch group device conflict detection. - -The Windows Autopatch team is currently developing detection and resolution for the device conflict scenarios above, and plan to make them available in production still during the public preview timeframe. +- Custom to Cstom Autopatch group device conflict detection. ### Autopatch group Azure AD group remediator - **Status: Active** -The Windows Autopatch team is aware that the Windows Autopatch service is not automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. This means that if deleted or renamed, the following Azure AD groups that belong to the default Autopatch group and other Azure AD groups that get created with custom Autopatch groups will not be automatically remediated on your behalf yet: +The Windows Autopatch team is aware that the Windows Autopatch service isn't automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. If the following Azure AD groups, that belong to the Default Autopatch group and other Azure AD groups that get created with Custom Autopatch groups, are deleted or renamed, they won't be automatically remediated on your behalf yet: - Windows Autopatch – Test - Windows Autopatch – Ring1 @@ -201,14 +200,14 @@ The Windows Autopatch team is aware that the Windows Autopatch service is not au - Windows Autopatch – Ring3 - Windows Autopatch – Last -The Windows Autopatch team is currently developing the Autopatch group Azure AD group remediator feature and plan to make it available in production still during the public preview timeframe. +The Windows Autopatch team is currently developing the Autopatch group Azure AD group remediator feature and plan to make it available during public preview. > [!NOTE] -> The Autopatch group remediator will not cover remediation of the service-based deployment rings: +> The Autopatch group remediator won't remediate the service-based deployment rings: > > - Modern Workplace Devices-Windows Autopatch-Test > - Modern Workplace Devices-Windows Autopatch-First > - Modern Workplace Devices-Windows Autopatch-Fast > - Modern Workplace Devices-Windows Autopatch-Broad > -> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. See [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups) for more information. +> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups). From d9dd1e93e63a1912ea2ead52aa188965ce6ebbde Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 May 2023 08:18:01 -0700 Subject: [PATCH 11/30] Update windows-autopatch-groups-manage-autopatch-groups.md --- .../windows-autopatch-groups-manage-autopatch-groups.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index f92ad1edb8..9dc869daac 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -178,9 +178,10 @@ Autopatch groups will keep monitoring for all device conflict scenarios listed i ## Known issues -This section lists recent known issues with Autopatch groups during its public preview. +This section lists known issues with Autopatch groups during its public preview. ### Device conflict scenarios when using Autopatch groups + - **Status: Active** The Windows Autopatch team is aware that all device conflict scenarios listed below are currently being evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post-device registration. The Windows Autopatch team is currently developing detection and resolution for the followin device conflict scenarios, and plan to make them available during public preview. @@ -190,6 +191,7 @@ The Windows Autopatch team is aware that all device conflict scenarios listed be - Custom to Cstom Autopatch group device conflict detection. ### Autopatch group Azure AD group remediator + - **Status: Active** The Windows Autopatch team is aware that the Windows Autopatch service isn't automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. If the following Azure AD groups, that belong to the Default Autopatch group and other Azure AD groups that get created with Custom Autopatch groups, are deleted or renamed, they won't be automatically remediated on your behalf yet: From 9d4e0e5021f06403c2ead56f4e791d1b26f0d28b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 May 2023 08:20:57 -0700 Subject: [PATCH 12/30] Update windows-autopatch-groups-manage-autopatch-groups.md --- .../deploy/windows-autopatch-groups-manage-autopatch-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 9dc869daac..2eed6eee26 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -174,7 +174,7 @@ When you create or edit the Custom or Default Autopatch group, Windows Autopatch #### Device conflict post device registration -Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../deploy/windows-autopatch-groups-.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service. +Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service. ## Known issues From 355de9f8b9066eff923416011eea5d063493decb Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 May 2023 18:01:21 -0500 Subject: [PATCH 13/30] Changes --- .../windows-autopatch-groups-manage-autopatch-groups.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 2eed6eee26..3829c25f13 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -127,7 +127,7 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu > [!IMPORTANT] > The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. -> Fore more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). +> For more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. @@ -190,6 +190,12 @@ The Windows Autopatch team is aware that all device conflict scenarios listed be - Device conflict detection and resolution within an Autopatch group. - Custom to Cstom Autopatch group device conflict detection. +> [!TIP] +> Follow these two best practices to minimize device conflict scenarios when using Autopatch groups during the public preview: +> +> - Review your software update deployment requirements thoroughly, and if your deployment requirements allow, try using the default Autopatch group as much as possible, instead of start creating custom Autopatch groups. You can customize the default Autopatch to have up to 15 deployment rings, and using your existing device-based Azure AD groups with custom update deployment cadences. +> - If creating custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with the Windows Autopatch service, and already belong to the default Autopatch group. + ### Autopatch group Azure AD group remediator - **Status: Active** From 3d125559793f81b405514f2e77a1da2225379cd9 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 May 2023 18:06:44 -0500 Subject: [PATCH 14/30] Changes --- .../deploy/windows-autopatch-groups-manage-autopatch-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 3829c25f13..44b449f3c7 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -191,7 +191,7 @@ The Windows Autopatch team is aware that all device conflict scenarios listed be - Custom to Cstom Autopatch group device conflict detection. > [!TIP] -> Follow these two best practices to minimize device conflict scenarios when using Autopatch groups during the public preview: +> Follow these two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: > > - Review your software update deployment requirements thoroughly, and if your deployment requirements allow, try using the default Autopatch group as much as possible, instead of start creating custom Autopatch groups. You can customize the default Autopatch to have up to 15 deployment rings, and using your existing device-based Azure AD groups with custom update deployment cadences. > - If creating custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with the Windows Autopatch service, and already belong to the default Autopatch group. From 15902826a416b3d028c8700c20530a21a3c56359 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 May 2023 18:10:13 -0500 Subject: [PATCH 15/30] Changes --- .../deploy/windows-autopatch-groups-manage-autopatch-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 44b449f3c7..0e01af10eb 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -193,7 +193,7 @@ The Windows Autopatch team is aware that all device conflict scenarios listed be > [!TIP] > Follow these two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: > -> - Review your software update deployment requirements thoroughly, and if your deployment requirements allow, try using the default Autopatch group as much as possible, instead of start creating custom Autopatch groups. You can customize the default Autopatch to have up to 15 deployment rings, and using your existing device-based Azure AD groups with custom update deployment cadences. +> - Review your software update deployment requirements thoroughly, and if your deployment requirements allow, try using the default Autopatch group as much as possible, instead of start creating custom Autopatch groups. You can customize the default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. > - If creating custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with the Windows Autopatch service, and already belong to the default Autopatch group. ### Autopatch group Azure AD group remediator From fbbfabfedf8683cdeec1e17abb883f1c0be754a1 Mon Sep 17 00:00:00 2001 From: Arnab Mitra <38724550+msarnabm@users.noreply.github.com> Date: Sat, 6 May 2023 14:02:13 -0500 Subject: [PATCH 16/30] Fixing typo in Custom to Cstom FYI @andredm7 --- .../deploy/windows-autopatch-groups-manage-autopatch-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 2eed6eee26..7776ca2706 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -188,7 +188,7 @@ The Windows Autopatch team is aware that all device conflict scenarios listed be - Default to Custom Autopatch device conflict detection and resolution. - Device conflict detection and resolution within an Autopatch group. -- Custom to Cstom Autopatch group device conflict detection. +- Custom to Custom Autopatch group device conflict detection. ### Autopatch group Azure AD group remediator From 22df2b95142394eb5a351868331666903ad077da Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 8 May 2023 07:32:03 -0700 Subject: [PATCH 17/30] Update windows-autopatch-groups-manage-autopatch-groups.md --- .../windows-autopatch-groups-manage-autopatch-groups.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 0e01af10eb..cb21c2f54e 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -191,10 +191,10 @@ The Windows Autopatch team is aware that all device conflict scenarios listed be - Custom to Cstom Autopatch group device conflict detection. > [!TIP] -> Follow these two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: +> Use the following two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: > -> - Review your software update deployment requirements thoroughly, and if your deployment requirements allow, try using the default Autopatch group as much as possible, instead of start creating custom Autopatch groups. You can customize the default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. -> - If creating custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with the Windows Autopatch service, and already belong to the default Autopatch group. +> - Review your software update deployment requirements thoroughly. If your deployment requirements allow, try using the Default Autopatch group as much as possible, instead of start creating Custom Autopatch groups. You can customize the Default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. +> - If creating Custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with Windows Autopatch, and already belong to the Default Autopatch group. ### Autopatch group Azure AD group remediator From a31e8268510c41b36197a9dc6c8ffaf3c117a694 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Mon, 8 May 2023 11:03:42 -0500 Subject: [PATCH 18/30] More changes --- .../windows-autopatch-device-registration-overview.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 3dab9cc693..0ef3ffa548 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides an overview on how to register devices in Autopatch -ms.date: 05/02/2023 +ms.date: 05/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -141,6 +141,9 @@ If your Autopatch groups have more than five deployment rings, and you must move If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab. +> [!IMPORTANT] +> It's only supported to move devices in between deployment rings within the same Autopatch group. It's not supported to move devices in between deployment rings across different Autopatch groups, if you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. + **To move devices in between deployment rings:** > [!NOTE] @@ -150,7 +153,7 @@ If you want to move devices to different deployment rings (either service or sof 1. In the **Windows Autopatch** section, select **Devices**. 1. In the **Registered** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 1. Select **Device actions** from the menu. -1. Select **Assign device group**. A fly-in opens. +1. Select **Assign ring**. A fly-in opens. 1. Use the dropdown menu to select the deployment ring to move devices to, and then select Save. The Ring assigned by column will change to Pending. 1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. From c116a6720781de1420d23e616e5f80fb1ca2a72a Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 8 May 2023 09:14:06 -0700 Subject: [PATCH 19/30] Update windows-autopatch-device-registration-overview.md --- .../deploy/windows-autopatch-device-registration-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 0ef3ffa548..d36818f0fc 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -142,7 +142,7 @@ If your Autopatch groups have more than five deployment rings, and you must move If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab. > [!IMPORTANT] -> It's only supported to move devices in between deployment rings within the same Autopatch group. It's not supported to move devices in between deployment rings across different Autopatch groups, if you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. +> You can only move devices in between deployment rings within the **same** Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. **To move devices in between deployment rings:** From 47b2aa5ca820b19fb0f673690de097ee73c0e223 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 8 May 2023 09:15:25 -0700 Subject: [PATCH 20/30] Update windows-autopatch-device-registration-overview.md --- .../deploy/windows-autopatch-device-registration-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index d36818f0fc..f511e6481b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -142,7 +142,7 @@ If your Autopatch groups have more than five deployment rings, and you must move If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab. > [!IMPORTANT] -> You can only move devices in between deployment rings within the **same** Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. +> You can only move devices in between deployment rings within the **same** Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. **To move devices in between deployment rings:** From 0da0569ad6cac1af3d4c2b4866d7ce806f0c9df8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 8 May 2023 12:32:07 -0400 Subject: [PATCH 21/30] caution text for Win11 --- .../hello-for-business/feature-multifactor-unlock.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index c4e5d43423..7947712bea 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -29,6 +29,11 @@ The policy setting has three components: ## Configure unlock factors +> [!CAUTION] +> On Windows 11, the group policy [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) or the [InteractiveLogon_DoNotDisplayLastSignedIn CSP](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotdisplaylastsignedin) are known to interfere with the ability to use multi-factor unlock. +> +> Disabling the group policy DontDisplayLastUserName or changing the InteractiveLogon_DoNotDisplayLastSignedIn CSP to 0 will let you use multi-factor unlock. + The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. Supported credential providers include: @@ -40,8 +45,8 @@ Supported credential providers include: |Facial Recognition| `{8AF662BF-65A0-4D0A-A540-A338A999D36F}`| |Trusted Signal
(Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`| ->[!NOTE] ->Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. +> [!NOTE] +> Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. The default credential providers for the **First unlock factor credential provider** include: From fd80eca0a4fe4a90c0807abf24212dd5fbd355bb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 8 May 2023 12:37:33 -0400 Subject: [PATCH 22/30] caution text for Win11 --- .../hello-for-business/feature-multifactor-unlock.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 7947712bea..cf9c8484b0 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -30,9 +30,7 @@ The policy setting has three components: ## Configure unlock factors > [!CAUTION] -> On Windows 11, the group policy [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) or the [InteractiveLogon_DoNotDisplayLastSignedIn CSP](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#interactivelogon_donotdisplaylastsignedin) are known to interfere with the ability to use multi-factor unlock. -> -> Disabling the group policy DontDisplayLastUserName or changing the InteractiveLogon_DoNotDisplayLastSignedIn CSP to 0 will let you use multi-factor unlock. +> On Windows 11, when the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock. The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. From e33939cd55a83816ad0b57d7edbbc81a705ced07 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 8 May 2023 10:10:10 -0700 Subject: [PATCH 23/30] fixed links --- .../operate/windows-autopatch-device-alerts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md index 789a3b23e3..b1a830efeb 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -58,12 +58,12 @@ Alert resolutions are provided through the Windows Update service and provide th | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.

Check that the MSA Service is running or able to run on device.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

For more information, see [Free up space for Windows Updates](/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65#:~:text=Here%E2%80%99s%20how%20to%20get%20more%20storage%20space%20on,to%20Windows%20needs%20space%20to%20update.%20More%20items).

| +| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).

| | `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).

| | `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service (BITS) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/security-updates/WindowsUpdateServices/18127392).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](https://learn.microsoft.com/security-updates/WindowsUpdateServices/18127392).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.

Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | | `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| | `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| From 86b74f0c7b421f00e3c4351f7536ef74d877e33d Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 8 May 2023 11:34:45 -0700 Subject: [PATCH 24/30] Buh :poop: need :coffee: --- .../operate/windows-autopatch-device-alerts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md index b1a830efeb..fe0551604d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -61,9 +61,9 @@ Alert resolutions are provided through the Windows Update service and provide th | `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).

| | `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).

| | `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service (BITS) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](https://learn.microsoft.com/security-updates/WindowsUpdateServices/18127392).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.

Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | | `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| | `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| From 81fef4d3a1a6fb7451285755c1b6b51066205b5b Mon Sep 17 00:00:00 2001 From: Annie Bader <131500875+anniebader@users.noreply.github.com> Date: Mon, 8 May 2023 12:36:16 -0700 Subject: [PATCH 25/30] Learn Editor: Update policies-in-policy-csp-supported-by-hololens2.md --- ...es-in-policy-csp-supported-by-hololens2.md | 38 +++++++++++-------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 11a4bb0c2c..b34efa313a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -24,14 +24,15 @@ ms.date: 02/03/2023 - [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname) - [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) - [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) 13 +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) 13 +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) 13 +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) 13 +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) 13 +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) 13 +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) 13 - [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowConnectedDevices](https://https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#allowconnecteddevices) 12 - [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) 10 - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) 10 @@ -66,7 +67,6 @@ ms.date: 02/03/2023 - [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) 12 - [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) 12 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) 9 -- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#headtrackingmode) 9 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) 9 - [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) 12 @@ -74,14 +74,13 @@ ms.date: 02/03/2023 - [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) 12 - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) 9 -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9 -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9 -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9 -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9 -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9 -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9, 14 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9, 14 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9, 14 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9, 14 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9, 14 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9, 14 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#disableprivacyexperience) Insider - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps) - [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps) @@ -99,6 +98,9 @@ ms.date: 02/03/2023 - [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) 8 - [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) 8 - [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation) +- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 +- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 +- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 - [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone) - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) 8 @@ -115,10 +117,11 @@ ms.date: 02/03/2023 - [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#configstoragesensecloudcontentdehydrationthreshold) 12 - [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) 12 - [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) 12 -- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#allowlocation) - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) +- [System/ConfigureTelemetryOptInSettingsUx](/windows/client-management/mdm/policy-csp-system) 12 +- [System/DisableDeviceDelete](/windows/client-management/mdm/policy-csp-system) 12 - [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9 - [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9 - [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9 @@ -160,8 +163,11 @@ Footnotes: - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) - 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2) +- 13 - Refer to [Configuring Policy Settings for the New Microsoft Edge](https://https://learn.microsoft.com/en-us/hololens/hololens-new-edge#configuring-policy-settings-for-the-new-microsoft-edge) +- 14 - Refer to [New Power Policies for Hololens 2](https://https://learn.microsoft.com/en-us/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2) - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). ## Related topics [Policy CSP](policy-configuration-service-provider.md) + From db667fcb9396f62574b8831ad3b8ac307782ecb5 Mon Sep 17 00:00:00 2001 From: Annie Bader <131500875+anniebader@users.noreply.github.com> Date: Mon, 8 May 2023 12:42:23 -0700 Subject: [PATCH 26/30] Learn Editor: Update policies-in-policy-csp-supported-by-hololens2.md --- .../mdm/policies-in-policy-csp-supported-by-hololens2.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index b34efa313a..9b6055ecd4 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -171,3 +171,6 @@ Footnotes: [Policy CSP](policy-configuration-service-provider.md) +[Full HoloLens CSP Details](/windows/client-management/mdm/configuration-service-provider-support) + + From 8b8fbb16765546f6a0a38cf7274939cf5bc4ca2a Mon Sep 17 00:00:00 2001 From: Annie Bader <131500875+anniebader@users.noreply.github.com> Date: Mon, 8 May 2023 12:43:53 -0700 Subject: [PATCH 27/30] Learn Editor: Update policies-in-policy-csp-supported-by-hololens2.md --- .../mdm/policies-in-policy-csp-supported-by-hololens2.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 9b6055ecd4..5ba4ed05ed 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -174,3 +174,4 @@ Footnotes: [Full HoloLens CSP Details](/windows/client-management/mdm/configuration-service-provider-support) + From 80ba4de4b165cd4c195765b558d97ee0cddcb613 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 8 May 2023 15:59:32 -0400 Subject: [PATCH 28/30] Update windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md --- .../mdm/policies-in-policy-csp-supported-by-hololens2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 5ba4ed05ed..db966de7af 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -163,7 +163,7 @@ Footnotes: - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) - 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2) -- 13 - Refer to [Configuring Policy Settings for the New Microsoft Edge](https://https://learn.microsoft.com/en-us/hololens/hololens-new-edge#configuring-policy-settings-for-the-new-microsoft-edge) +- 13 - Refer to [Configuring Policy Settings for the New Microsoft Edge](/hololens/hololens-new-edge#configuring-policy-settings-for-the-new-microsoft-edge) - 14 - Refer to [New Power Policies for Hololens 2](https://https://learn.microsoft.com/en-us/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2) - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). From 3cb29ffa2375c7a0bf98683eaf8c96fa1178aba8 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 8 May 2023 15:59:48 -0400 Subject: [PATCH 29/30] Update windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md --- .../mdm/policies-in-policy-csp-supported-by-hololens2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index db966de7af..c3a72db09c 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -164,7 +164,7 @@ Footnotes: - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) - 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2) - 13 - Refer to [Configuring Policy Settings for the New Microsoft Edge](/hololens/hololens-new-edge#configuring-policy-settings-for-the-new-microsoft-edge) -- 14 - Refer to [New Power Policies for Hololens 2](https://https://learn.microsoft.com/en-us/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2) +- 14 - Refer to [New Power Policies for Hololens 2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2) - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). ## Related topics From 8aa8bbea34b11a31827566968f1396a54d793b8b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 8 May 2023 15:59:58 -0400 Subject: [PATCH 30/30] Update windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md --- .../mdm/policies-in-policy-csp-supported-by-hololens2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index c3a72db09c..e45320b0b7 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -32,7 +32,7 @@ ms.date: 02/03/2023 - [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) 13 - [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) 13 - [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) -- [Connectivity/AllowConnectedDevices](https://https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#allowconnecteddevices) 12 +- [Connectivity/AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices) 12 - [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) 10 - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) 10