deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5266 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Gary Moore 2021-06-08 21:06:09 -07:00 committed by GitHub
commit 22f293a5b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 289 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
windows/client-management/mdm/defender-ddf.md
View File

@ -756,6 +756,186 @@ The XML below is the current version for this CSP.
<MIME>text/plain</MIME> <MIME>text/plain</MIME>
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node>
<Node>
<NodeName>DisableGradualRelease</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to disable gradual rollout of Defender updates.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Gradual release is disabled</ValueDescription>
</Enum>
<Enum>
<Value>0</Value>
<ValueDescription>Gradual release is enabled</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefinitionUpdatesChannel</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EngineUpdatesChannel</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PlatformUpdatesChannel</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node> </Node>
</Node> </Node>
<Node> <Node>

2
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -4521,7 +4521,7 @@ ADMX Info:
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives.
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.

6
windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
View File

@ -51,7 +51,7 @@ manager: dansimp
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
@ -115,7 +115,7 @@ The following list shows the supported values:
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>

6
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows ms.technology: windows
author: manikadhiman author: manikadhiman
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 09/27/2019 ms.date: 05/02/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
--- ---
@ -1045,9 +1045,7 @@ GP Info:
<!--/RegistryMapped--> <!--/RegistryMapped-->
<!--SupportedValues--> <!--SupportedValues-->
Valid values: Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled.
- 0 - disabled
- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
<!--/SupportedValues--> <!--/SupportedValues-->
<!--/Policy--> <!--/Policy-->

77
windows/client-management/mdm/policy-csp-system.md
View File

@ -49,6 +49,9 @@ manager: dansimp
<dd> <dd>
<a href="#system-allowtelemetry">System/AllowTelemetry</a> <a href="#system-allowtelemetry">System/AllowTelemetry</a>
</dd> </dd>
<dd>
<a href="#system-allowUpdateComplianceProcessing">System/AllowUpdateComplianceProcessing</a>
</dd>
<dd> <dd>
<a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a> <a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a>
</dd> </dd>
@ -789,6 +792,77 @@ ADMX Info:
<!--/ADMXMapped--> <!--/ADMXMapped-->
<!--/Policy--> <!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-allowUpdateComplianceProcessing"></a>**System/AllowUpdateComplianceProcessing**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance.
If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Update Compliance Processing*
- GP name: *AllowUpdateComplianceProcessing*
- GP element: *AllowUpdateComplianceProcessing*
- GP path: *Data Collection and Preview Builds*
- GP ADMX file name: *DataCollection.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disabled.
- 16 - Enabled.
<!--/SupportedValues-->
<!--/Policy-->
<hr/> <hr/>
<!--Policy--> <!--Policy-->
@ -850,6 +924,7 @@ The following list shows the supported values:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
<!--Policy--> <!--Policy-->
<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization** <a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**
@ -1778,5 +1853,7 @@ Footnotes:
- 6 - Available in Windows 10, version 1903. - 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909. - 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004. - 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 20H2.
- 10 - Available in Windows 10, version 21H1.
<!--/Policies--> <!--/Policies-->

7
windows/client-management/mdm/surfacehub-csp.md
View File

@ -61,9 +61,9 @@ SurfaceHub
--------SleepTimeout --------SleepTimeout
--------AllowSessionResume --------AllowSessionResume
--------AllowAutoProxyAuth --------AllowAutoProxyAuth
--------ProxyServers
--------DisableSigninSuggestions --------DisableSigninSuggestions
--------DoNotShowMyMeetingsAndFiles --------DoNotShowMyMeetingsAndFiles
----ProxyServers
----Management ----Management
--------GroupName --------GroupName
--------GroupSid --------GroupSid
@ -572,6 +572,11 @@ SurfaceHub
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace. <p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="properties-proxyservers"></a>**Properties/ProxyServers**
<p style="margin-left: 20px">Added in <a href="https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142" data-raw-source="[KB4499162](https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142)">KB4499162</a> for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="properties-disablesigninsuggestions"></a>**Properties/DisableSigninSuggestions** <a href="" id="properties-disablesigninsuggestions"></a>**Properties/DisableSigninSuggestions**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.

8
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
View File

@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf
## Changing the PIN ## Changing the PIN
The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**. The PIN for a virtual smart card can be changed by following these steps:
- Sign in with the old PIN or password.
- Press Ctrl+Alt+Del and choose **Change a password**.
- Select **Sign-in Options**.
- Select the virtual smart card icon.
- Enter and confirm the new PIN.
## Resolving issues ## Resolving issues
### TPM not provisioned ### TPM not provisioned

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com
### IPv4 ranges ### IPv4 ranges
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 value range within your intranet. Specify the addresses for a valid IPv4 value range within your intranet.
These addresses, used with your Network domain names, define your corporate network boundaries. These addresses, used with your Network domain names, define your corporate network boundaries.
Classless Inter-Domain Routing (CIDR) notation isnt supported. Classless Inter-Domain Routing (CIDR) notation isnt supported.

11
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -71,6 +71,17 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported.
| Rule option | Description |
|------------ | ----------- |
| 5 | Enabled: Inherit Default Policy |
| **6** | **Enabled: Unsigned System Integrity Policy** |
| 7 | Allowed: Debug Policy Augmented |
| **13** | **Enabled: Managed Installer** |
| **14** | **Enabled: Intelligent Security Graph Authorization** |
| **18** | **Disabled: Runtime FilePath Rule Protection** |
## Windows Defender Application Control file rule levels ## Windows Defender Application Control file rule levels
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies. File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies.