diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 248d7b95f8..ff28625681 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -88,15 +88,16 @@ The following list shows the BitLocker configuration service provider nodes: Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged-on user is non-admin/standard user. + "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced. -If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user -is the current logged-on user in the system. + +If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged-on user in the system. The expected values for this policy are: 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. -0 = This is the default, when the policy isn't set. If current logged-on user is a standard user, "RequireDeviceEncryption" policy -won't try to enable encryption on any drive. + +0 = This is the default, when the policy isn't set. If current logged-on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive. @@ -172,6 +173,7 @@ This policy setting allows suspending protection for BitLocker Drive Encryption The expected values for this policy are: 0 = Prevent BitLocker Drive Encryption protection from being suspended. + 1 = This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection. @@ -225,8 +227,7 @@ Allows Admin to disable all UI (notification for encryption and warning prompt f and turn on encryption on the user machines silently. > [!WARNING] -> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will -require reinstallation of Windows. +> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows. > [!NOTE] > This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. @@ -234,8 +235,9 @@ require reinstallation of Windows. The expected values for this policy are: 1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed. -0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, -the value 0 only takes effect on Azure Active Directory joined devices. + +0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Azure Active Directory joined devices. + Windows will attempt to silently enable BitLocker for value 0. @@ -311,14 +313,17 @@ Windows will attempt to silently enable BitLocker for value 0. Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. -When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when -Active Directory back up for recovery password is configured to required. -For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" -For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" + +When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. + +For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives". + +For Fixed drives: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives". Supported Values: 0 - Numeric Recovery Passwords rotation OFF. + 1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value -2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices +2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices. @@ -1117,6 +1122,7 @@ To disable this policy, use the following SyncML: Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. Sample value for this node to enable this policy: + 1 Disabling the policy won't turn off the encryption on the system drive. But will stop prompting the user to turn it on. @@ -1209,7 +1215,9 @@ To disable RequireDeviceEncryption: Allows the Admin to require storage card encryption on the device. This policy is only valid for mobile SKU. + Sample value for this node to enable this policy: + 1 Disabling the policy won't turn off the encryption on the storage card. But will stop prompting the user to turn it on. @@ -1262,16 +1270,19 @@ Disabling the policy won't turn off the encryption on the storage card. But will Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device. + This policy is Execute type and rotates all numeric passwords when issued from MDM tools. -The policy only comes into effect when Active Directory backup for a recovery password is configured to "required." -- For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives." -- For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives." +The policy only comes into effect when Active Directory backup for a recovery password is configured to "required". + +- For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives". + +- For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives". Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes: - status\RotateRecoveryPasswordsStatus -- status\RotateRecoveryPasswordsRequestID +- status\RotateRecoveryPasswordsRequestID. Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools. @@ -1369,6 +1380,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI This node reports compliance state of device encryption on the system. + Value '0' means the device is compliant. Any other value represents a non-compliant device. @@ -1469,8 +1481,8 @@ This node reports compliance state of removal drive encryption. "0" Value means This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. -This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus -To ensure the status is correctly matched to the request ID. + +This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID. @@ -1510,7 +1522,9 @@ To ensure the status is correctly matched to the request ID. This Node reports the status of RotateRecoveryPasswords request. + Status code can be one of the following: + NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure. @@ -1625,9 +1639,9 @@ The Windows touch keyboard (such as that used by tablets) isn't available in the Note that if you don't enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include: - - Configure TPM startup PIN: Required/Allowed - - Configure TPM startup key and PIN: Required/Allowed - - Configure use of passwords for operating system drives. +- Configure TPM startup PIN: Required/Allowed +- Configure TPM startup key and PIN: Required/Allowed +- Configure use of passwords for operating system drives. @@ -2211,7 +2225,7 @@ This policy setting allows you to configure whether BitLocker requires additiona > [!NOTE] > Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. -If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. +If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you'll need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 53f3bc2a65..8e74c3c59e 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -4,7 +4,7 @@ description: Learn more about the ClientCertificateInstall CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -162,7 +162,9 @@ Required for PFX certificate installation. The parent node grouping the PFX cert Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. + Format is node. + Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. @@ -205,6 +207,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha Optional. + Specifies the NGC container name (if NGC KSP is chosen for above node). If this node isn't specified when NGC KSP is chosen, enrollment will fail. @@ -295,9 +298,13 @@ Required for PFX certificate installation. Indicates the KeyStorage provider to Required. + [CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. + If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. + If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it doesn't exist, this will fail. + In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate @@ -377,6 +384,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro Optional. + When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. @@ -418,6 +426,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the Optional. Used to specify if the PFX certificate password is encrypted with a certificate. + If the value is 0 - Password isn't encrypted 1- Password is encrypted using the MDM certificate by the MDM server @@ -643,6 +652,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed. Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. + Calling Delete on the this node, should delete the corresponding SCEP certificate. @@ -921,6 +931,7 @@ Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Optional. + Specifies the NGC container name (if NGC KSP is chosen for above node). If this node isn't specified when NGC KSP is chosen, enrollment will fail. @@ -1119,6 +1130,7 @@ For NGC, only SHA256 is supported as the supported algorithm. Required for enrollment. Specify private key length (RSA). + Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. @@ -1171,6 +1183,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. Optional. Specify where to keep the private key. Note that even it's protected by TPM, it isn't guarded with TPM PIN. + SCEP enrolled cert doesn't support TPM PIN protection. @@ -1262,6 +1275,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30. + The min value is 0 which means no retry. @@ -1505,6 +1519,7 @@ Optional. OID of certificate template name. Note that this name is typically ign Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. + MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It's the server's decision on how to use this valid period to create the certificate. @@ -1638,7 +1653,9 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re Required. Specify the latest status for the certificate due to enroll request. + Valid values are: + 1 - finished successfully 2 - pending (the device hasn't finished the action but has received the SCEP server pending response) 32 - unknown @@ -1721,7 +1738,9 @@ Required for PFX certificate installation. The parent node grouping the PFX cert Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. + Format is node. + Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. @@ -1764,6 +1783,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha Optional. + Specifies the NGC container name (if NGC KSP is chosen for above node). If this node isn't specified when NGC KSP is chosen, enrollment will fail. @@ -1854,9 +1874,13 @@ Required for PFX certificate installation. Indicates the KeyStorage provider to Required. + [CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. + If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. + If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it doesn't exist, this will fail. + In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate @@ -1936,6 +1960,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro Optional. + When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. @@ -1977,6 +2002,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the Optional. Used to specify if the PFX certificate password is encrypted with a certificate. + If the value is 0 - Password isn't encrypted 1- Password is encrypted using the MDM certificate by the MDM server @@ -2200,6 +2226,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed. Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. + Calling Delete on the this node, should delete the corresponding SCEP certificate. @@ -2478,6 +2505,7 @@ Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Optional. + Specifies the NGC container name (if NGC KSP is chosen for above node). If this node isn't specified when NGC KSP is chosen, enrollment will fail. @@ -2676,6 +2704,7 @@ For NGC, only SHA256 is supported as the supported algorithm. Required for enrollment. Specify private key length (RSA). + Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. @@ -2728,6 +2757,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. Optional. Specify where to keep the private key. Note that even it's protected by TPM, it isn't guarded with TPM PIN. + SCEP enrolled cert doesn't support TPM PIN protection. @@ -2819,6 +2849,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30. + The min value is 0 which means no retry. @@ -3062,6 +3093,7 @@ Optional. OID of certificate template name. Note that this name is typically ign Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. + MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It's the server's decision on how to use this valid period to create the certificate. @@ -3195,7 +3227,9 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re Required. Specify the latest status for the certificate due to enroll request. + Valid values are: + 1 - finished successfully 2 - pending (the device hasn't finished the action but has received the SCEP server pending response) 32 - unknown diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 0496ae8985..72fb71fe7b 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Defender CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2429,57 +2429,108 @@ The ID of a threat that has been detected by Windows Defender. Threat category ID. Supported values: -| Value | Description | -|:--|:--| -| 0 | Invalid | -| 1 | Adware | -| 2 | Spyware | -| 3 | Password stealer | -| 4 | Trojan downloader | -| 5 | Worm | -| 6 | Backdoor | -| 7 | Remote access Trojan | -| 8 | Trojan | -| 9 | Email flooder | -| 10 | Keylogger | -| 11 | Dialer | -| 12 | Monitoring software | -| 13 | Browser modifier | -| 14 | Cookie | -| 15 | Browser plugin | -| 16 | AOL exploit | -| 17 | Nuker | -| 18 | Security disabler | -| 19 | Joke program | -| 20 | Hostile ActiveX control | -| 21 | Software bundler | -| 22 | Stealth modifier | -| 23 | Settings modifier | -| 24 | Toolbar | -| 25 | Remote control software | -| 26 | Trojan FTP | -| 27 | Potential unwanted software | -| 28 | ICQ exploit | -| 29 | Trojan telnet | -| 30 | Exploit | -| 31 | File sharing program | -| 32 | Malware creation tool | -| 33 | Remote control software | -| 34 | Tool | -| 36 | Trojan denial of service | -| 37 | Trojan dropper | -| 38 | Trojan mass mailer | -| 39 | Trojan monitoring software | -| 40 | Trojan proxy server | -| 42 | Virus | -| 43 | Known | -| 44 | Unknown | -| 45 | SPP | -| 46 | Behavior | -| 47 | Vulnerability | -| 48 | Policy | -| 49 | EUS (Enterprise Unwanted Software) | -| 50 | Ransomware | +| Value | Description |. + +|:--|:--|. + +| 0 | Invalid |. + +| 1 | Adware |. + +| 2 | Spyware |. + +| 3 | Password stealer |. + +| 4 | Trojan downloader |. + +| 5 | Worm |. + +| 6 | Backdoor |. + +| 7 | Remote access Trojan |. + +| 8 | Trojan |. + +| 9 | Email flooder |. + +| 10 | Keylogger |. + +| 11 | Dialer |. + +| 12 | Monitoring software |. + +| 13 | Browser modifier |. + +| 14 | Cookie |. + +| 15 | Browser plugin |. + +| 16 | AOL exploit |. + +| 17 | Nuker |. + +| 18 | Security disabler |. + +| 19 | Joke program |. + +| 20 | Hostile ActiveX control |. + +| 21 | Software bundler |. + +| 22 | Stealth modifier |. + +| 23 | Settings modifier |. + +| 24 | Toolbar |. + +| 25 | Remote control software |. + +| 26 | Trojan FTP |. + +| 27 | Potential unwanted software |. + +| 28 | ICQ exploit |. + +| 29 | Trojan telnet |. + +| 30 | Exploit |. + +| 31 | File sharing program |. + +| 32 | Malware creation tool |. + +| 33 | Remote control software |. + +| 34 | Tool |. + +| 36 | Trojan denial of service |. + +| 37 | Trojan dropper |. + +| 38 | Trojan mass mailer |. + +| 39 | Trojan monitoring software |. + +| 40 | Trojan proxy server |. + +| 42 | Virus |. + +| 43 | Known |. + +| 44 | Unknown |. + +| 45 | SPP |. + +| 46 | Behavior |. + +| 47 | Vulnerability |. + +| 48 | Policy |. + +| 49 | EUS (Enterprise Unwanted Software) |. + +| 50 | Ransomware |. + | 51 | ASR Rule | @@ -2521,18 +2572,30 @@ Threat category ID. Supported values: Information about the current status of the threat. The following list shows the supported values: -| Value | Description | -|:--|:--| -| 0 | Active | -| 1 | Action failed | -| 2 | Manual steps required | -| 3 | Full scan required | -| 4 | Reboot required | -| 5 | Remediated with noncritical failures | -| 6 | Quarantined | -| 7 | Removed | -| 8 | Cleaned | -| 9 | Allowed | +| Value | Description |. + +|:--|:--|. + +| 0 | Active |. + +| 1 | Action failed |. + +| 2 | Manual steps required |. + +| 3 | Full scan required |. + +| 4 | Reboot required |. + +| 5 | Remediated with noncritical failures |. + +| 6 | Quarantined |. + +| 7 | Removed |. + +| 8 | Cleaned |. + +| 9 | Allowed |. + | 10 | No Status ( Cleared) | @@ -2769,12 +2832,18 @@ Number of times this threat has been detected on a particular client. Threat severity ID. The following list shows the supported values: -| Value | Description | -|:--|:--| -| 0 | Unknown | -| 1 | Low | -| 2 | Moderate | -| 4 | High | +| Value | Description |. + +|:--|:--|. + +| 0 | Unknown |. + +| 1 | Low |. + +| 2 | Moderate |. + +| 4 | High |. + | 5 | Severe | @@ -2894,13 +2963,20 @@ An interior node to group information about Windows Defender health status. Provide the current state of the device. The following list shows the supported values: -| Value | Description | -|:--|:--| -| 0 | Clean | -| 1 | Pending full scan | -| 2 | Pending reboot | -| 4 | Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) | -| 8 | Pending offline scan | +| Value | Description |. + +|:--|:--|. + +| 0 | Clean |. + +| 1 | Pending full scan |. + +| 2 | Pending reboot |. + +| 4 | Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) |. + +| 8 | Pending offline scan |. + | 16 | Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) | @@ -3293,33 +3369,60 @@ Indicates whether network protection is running. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values: -| Value | Description | -|:--|:--| -| 0 | No status | -| 1 (1 << 0) | Service not running | -| 2 (1 << 1) | Service started without any malware protection engine | -| 4 (1 << 2) | Pending full scan due to threat action | -| 8 (1 << 3) | Pending reboot due to threat action | -| 16 (1 << 4) | ending manual steps due to threat action | -| 32 (1 << 5) | AV signatures out of date | -| 64 (1 << 6) | AS signatures out of date | -| 128 (1 << 7) | No quick scan has happened for a specified period | -| 256 (1 << 8) | No full scan has happened for a specified period | -| 512 (1 << 9) | System initiated scan in progress | -| 1024 (1 << 10) | System initiated clean in progress | -| 2048 (1 << 11) | There are samples pending submission | -| 4096 (1 << 12) | Product running in evaluation mode | -| 8192 (1 << 13) | Product running in non-genuine Windows mode | -| 16384 (1 << 14) | Product expired | -| 32768 (1 << 15) | Off-line scan required | -| 65536 (1 << 16) | Service is shutting down as part of system shutdown | -| 131072 (1 << 17) | Threat remediation failed critically | -| 262144 (1 << 18) | Threat remediation failed non-critically | -| 524288 (1 << 19) | No status flags set (well initialized state) | -| 1048576 (1 << 20) | Platform is out of date | -| 2097152 (1 << 21) | Platform update is in progress | -| 4194304 (1 << 22) | Platform is about to be outdated | -| 8388608 (1 << 23) | Signature or platform end of life is past or is impending | +| Value | Description |. + +|:--|:--|. + +| 0 | No status |. + +| 1 (1 << 0) | Service not running |. + +| 2 (1 << 1) | Service started without any malware protection engine |. + +| 4 (1 << 2) | Pending full scan due to threat action |. + +| 8 (1 << 3) | Pending reboot due to threat action |. + +| 16 (1 << 4) | ending manual steps due to threat action |. + +| 32 (1 << 5) | AV signatures out of date |. + +| 64 (1 << 6) | AS signatures out of date |. + +| 128 (1 << 7) | No quick scan has happened for a specified period |. + +| 256 (1 << 8) | No full scan has happened for a specified period |. + +| 512 (1 << 9) | System initiated scan in progress |. + +| 1024 (1 << 10) | System initiated clean in progress |. + +| 2048 (1 << 11) | There are samples pending submission |. + +| 4096 (1 << 12) | Product running in evaluation mode |. + +| 8192 (1 << 13) | Product running in non-genuine Windows mode |. + +| 16384 (1 << 14) | Product expired |. + +| 32768 (1 << 15) | Off-line scan required |. + +| 65536 (1 << 16) | Service is shutting down as part of system shutdown |. + +| 131072 (1 << 17) | Threat remediation failed critically |. + +| 262144 (1 << 18) | Threat remediation failed non-critically |. + +| 524288 (1 << 19) | No status flags set (well initialized state) |. + +| 1048576 (1 << 20) | Platform is out of date |. + +| 2097152 (1 << 21) | Platform update is in progress |. + +| 4194304 (1 << 22) | Platform is about to be outdated |. + +| 8388608 (1 << 23) | Signature or platform end of life is past or is impending |. + | 16777216 (1 << 24) | Windows SMode signatures still in use on non-Win10S install | diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index ecfe0c99d9..ce77f658d1 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DMAcc CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -878,9 +878,10 @@ Defines a set of Microsoft-specific extended parameters. This element is created This node specifies whether to disable the ability of the DM client to communicate with a down-level server. + Possible Values: -false (default) -- Compatibility with down-level servers is enabled -true -- Compatibility with down-level servers is disabled. + +false (default) -- Compatibility with down-level servers is enabled true -- Compatibility with down-level servers is disabled. @@ -1432,8 +1433,11 @@ the UUID of the device. This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce resynchronization is disabled and authentication of the server notification fails, the notification is dropped. + Possible Values: + false (default) : Nonce resynchronization is disabled. + true: Nonce resynchronization is enabled. diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 85def42a46..ddb612ea0c 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -4,7 +4,7 @@ description: Learn more about the EMAIL2 CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -257,6 +257,7 @@ Character string that specifies the name used to authorize the user to a specifi Character string that specifies whether the outgoing server requires authentication. + 1 for TRUE 0 for FALSE(default). diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 308aa06a7c..d9396625f8 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1237,10 +1237,15 @@ A unique GUID string identifier for this dynamic keyword address. Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value shouldn't be set if AutoResolve is true. + Valid tokens include: + A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. + A valid IPv6 address. + An IPv4 address range in the format of "start address - end address" with no spaces included. + An IPv6 address range in the format of "start address - end address" with no spaces included. @@ -1491,6 +1496,7 @@ Specifies the action for the rule. Specifies the action the rule enforces: + 0 - Block 1 - Allow. @@ -1545,9 +1551,12 @@ Rules that control connections for an app, program or service. Specified based on the intersection of the following nodes. -PackageFamilyName -FilePath -FQBN +PackageFamilyName. + +FilePath. + +FQBN. + ServiceName. @@ -1785,6 +1794,7 @@ Specifies the description of the rule. The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. + OUT - the rule applies to outbound traffic. If not specified the default is OUT. @@ -1889,6 +1899,7 @@ New rules have the EdgeTraversal property disabled by default. Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. + If not specified - a new rule is disabled by default. @@ -1978,6 +1989,7 @@ Comma separated list of ICMP types and codes applicable to the firewall rule. To String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MBB", and "All". + If more than one interface type is specified, the strings must be separated by a comma. @@ -2031,12 +2043,17 @@ If more than one interface type is specified, the strings must be separated by a Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "\*" is the default value. + Valid tokens include: + "\*" indicates any local address. If present, this must be the only token included. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. + A valid IPv6 address. + An IPv4 address range in the format of "start address - end address" with no spaces included. + An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. @@ -2078,6 +2095,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -2119,6 +2137,7 @@ When setting this field in a firewall rule, the protocol field must also be set, Specifies the list of authorized local users for the app container. + This is a string in Security Descriptor Definition Language (SDDL) format\. @@ -2198,7 +2217,7 @@ Specifies the friendly name of the firewall rule. -Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName can't be specified in the same rule. +Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule. @@ -2370,7 +2389,9 @@ Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying th Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include: + "\*" indicates any remote address. If present, this must be the only token included. + "Defaultgateway" "DHCP" "DNS" @@ -2380,9 +2401,13 @@ Consists of one or more comma-delimited tokens specifying the remote addresses c "Internet" "PlayToRenderers" "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive. + A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. + A valid IPv6 address. + An IPv4 address range in the format of "start address - end address" with no spaces included. + An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. @@ -2424,6 +2449,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -3117,6 +3143,7 @@ Unique alpha numeric identifier for the rule. The rule name mustn't include a fo Specifies the action the rule enforces: + 0 - Block 1 - Allow. @@ -3170,6 +3197,7 @@ Specifies the action the rule enforces: The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. + OUT - the rule applies to outbound traffic. If not specified the default is OUT. @@ -3222,6 +3250,7 @@ If not specified the default is OUT. Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. + If not specified - a new rule is disabled by default. @@ -3271,12 +3300,17 @@ If not specified - a new rule is disabled by default. Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "\*" is the default value. + Valid tokens include: + "\*" indicates any local address. If present, this must be the only token included. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. + A valid IPv6 address. + An IPv4 address range in the format of "start address - end address" with no spaces included. + An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. @@ -3527,10 +3561,15 @@ Specifies the profiles to which the rule belongs: Domain, Private, Public. See [ Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include: + "\*" indicates any remote address. If present, this must be the only token included. + A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. + A valid IPv6 address. + An IPv4 address range in the format of "start address - end address" with no spaces included. + An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index dad05ffbd7..21eb2d1b73 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -448,7 +448,7 @@ The allowable settings are: 0=Disabled (password won't be backed up) 1=Backup the password to Azure AD only -2=Backup the password to Active Directory only +2=Backup the password to Active Directory only. If not specified, this setting will default to 0. @@ -502,7 +502,7 @@ If not specified, this setting will default to 0. Use this policy to configure the maximum password age of the managed local administrator account. -If not specified, this setting will default to 30 days +If not specified, this setting will default to 30 days. This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD. @@ -555,7 +555,7 @@ The allowable settings are: 1=Large letters 2=Large letters + small letters 3=Large letters + small letters + numbers -4=Large letters + small letters + numbers + special characters +4=Large letters + small letters + numbers + special characters. If not specified, this setting will default to 4. diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index a56f1e976a..a325b44c94 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -417,9 +417,9 @@ Root node for PIN policies. Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. If you don't configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. @@ -555,9 +555,9 @@ This policy specifies the number of past PINs that can be stored in the history Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. If you don't configure this policy setting, Windows Hello for Business doesn't allow users to use lowercase letters in their PIN. @@ -707,9 +707,9 @@ Minimum PIN length configures the minimum number of characters required for the Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. If you don't configure this policy setting, Windows Hello for Business doesn't allow users to use special characters in their PIN. @@ -763,9 +763,9 @@ If you don't configure this policy setting, Windows Hello for Business doesn't a Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. If you don't configure this policy setting, Windows Hello for Business doesn't allow users to use uppercase letters in their PIN. @@ -861,6 +861,7 @@ Boolean that specifies if phone sign-in can be used with a device. Phone sign-in Default value is false. - If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. + - If you disable this setting, a companion device can't be used in desktop authentication scenarios. @@ -1999,9 +2000,9 @@ Root node for PIN policies. Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. If you don't configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. @@ -2137,9 +2138,9 @@ This policy specifies the number of past PINs that can be stored in the history Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. If you don't configure this policy setting, Windows Hello for Business doesn't allow users to use lowercase letters in their PIN. @@ -2289,9 +2290,9 @@ Minimum PIN length configures the minimum number of characters required for the Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. If you don't configure this policy setting, Windows Hello for Business doesn't allow users to use special characters in their PIN. @@ -2345,9 +2346,9 @@ If you don't configure this policy setting, Windows Hello for Business doesn't a Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. -A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. +A value of 1 corresponds to "Required". If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. -A value of 2 corresponds to "Disallow." If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. +A value of 2 corresponds to "Disallow". If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. If you don't configure this policy setting, Windows Hello for Business doesn't allow users to use uppercase letters in their PIN. diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 5e55ec1de2..d110cff6bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppCompat Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -229,7 +229,7 @@ This policy controls the state of the application compatibility engine in the sy The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. -Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old anti-virus application is installed.) +Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old anti-virus application is installed). The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations won't be applied to applications and their installers and these applications may fail to install or run properly. diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 7fddb59d66..7471be691a 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -41,13 +41,13 @@ ms.topic: reference This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: -Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies +Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies. -Mandatory user profiles and super-mandatory profiles, which are created by an administrator +Mandatory user profiles and super-mandatory profiles, which are created by an administrator. -Temporary user profiles, which are created when an error prevents the correct profile from loading +Temporary user profiles, which are created when an error prevents the correct profile from loading. -User profiles for the Guest account and members of the Guests group +User profiles for the Guest account and members of the Guests group. - If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index f4093a84c0..c2c110b8ba 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_AuditSettings Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ This setting only applies when the Audit Process Creation policy is enabled. - If you disable or don't configure this policy setting, the process's command line information won't be included in Audit Process Creation events. -Default: Not configured +Default: Not configured. > [!NOTE] > When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 18ca7e97f0..6ca32a3a25 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Bits Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -287,7 +287,9 @@ If BITS peer caching is enabled, BITS caches downloaded files and makes them ava This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting doesn't affect transfers from the origin server). + To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. + You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. - If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 3ba5ac3aaf..d847bc2c59 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_ControlPanel Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -178,14 +178,20 @@ Disables all Control Panel programs and the PC settings app. This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users can't start Control Panel or PC settings, or run any of their items. This setting removes Control Panel from: -The Start screen -File Explorer + +The Start screen. + +File Explorer. This setting removes PC settings from: -The Start screen -Settings charm -Account picture -Search results + +The Start screen. + +Settings charm. + +Account picture. + +Search results. If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index b67723e27d..1f95adc480 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1127,6 +1127,7 @@ If this setting is enabled, the background and accent colors of Windows will be Determines whether screen savers used on the computer are password protected. - If you enable this setting, all screen savers are password protected. + - If you disable this setting, password protection can't be set on any screen saver. This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. @@ -1398,7 +1399,7 @@ This can be a local computer visual style (aero.msstyles), or a file located on > If this setting is enabled and the file isn't available at user logon, the default visual style is loaded. > [!NOTE] -> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles +> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. > [!NOTE] > To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you can't apply the Windows Classic visual style. diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 2f1b2134df..04915e32c2 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_CredentialProviders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -163,19 +163,15 @@ This policy setting allows the administrator to assign a specified credential pr -This policy setting allows the administrator to exclude the specified -credential providers from use during authentication. +This policy setting allows the administrator to exclude the specified credential providers from use during authentication. + +Note credential providers are used to process and validate user credentials during logon or when authentication is required. -Note credential providers are used to process and validate user -credentials during logon or when authentication is required. Windows Vista provides two default credential providers: -Password and Smart Card. An administrator can install additional -credential providers for different sets of credentials -(for example, to support biometric authentication). -- If you enable this policy, an administrator can specify the CLSIDs -of the credential providers to exclude from the set of installed -credential providers available for authentication purposes. +Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). + +- If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. - If you disable or don't configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index e1aa6cdef1..746fc85903 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_CredSsp Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -50,14 +50,18 @@ The policy becomes effective the next time the user signs on to a computer runni - If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. FWlink for KB: + > [!NOTE] > The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. + TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com. @@ -125,8 +129,11 @@ This policy setting applies when server authentication was achieved via NTLM. > The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. + TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com. @@ -182,7 +189,7 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all -Encryption Oracle Remediation +Encryption Oracle Remediation. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). @@ -264,9 +271,13 @@ This policy setting applies when server authentication was achieved via a truste > The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com -Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com. + +Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. + TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com. @@ -336,8 +347,11 @@ This policy setting applies when server authentication was achieved via NTLM. > The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. + TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com. @@ -407,8 +421,11 @@ This policy setting applies when server authentication was achieved via a truste > The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. + TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com. @@ -478,8 +495,11 @@ This policy setting applies when server authentication was achieved via NTLM. > The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. + TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com. @@ -545,9 +565,12 @@ This policy setting applies to applications using the Cred SSP component (for ex > The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. -TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com. This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. @@ -614,9 +637,12 @@ This policy setting applies to applications using the Cred SSP component (for ex > The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. -TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com. This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. @@ -683,9 +709,12 @@ This policy setting applies to applications using the Cred SSP component (for ex > The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: -TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine + +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine. + TERMSRV/* Remote Desktop Session Host running on all machines. -TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com. This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. @@ -745,7 +774,8 @@ This policy setting can be used in combination with the "Allow delegating saved When running in Restricted Admin or Remote Credential Guard mode, participating apps don't expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials aren't delegated. Remote Credential Guard doesn't limit access to resources because it redirects all requests back to the client device. Participating apps: -Remote Desktop Client + +Remote Desktop Client. - If you enable this policy setting, the following options are supported: diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 5c2b83f315..e5cf956edd 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Desktop Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,7 +45,7 @@ Displays the filter bar above the results of an Active Directory search. The fil - If you disable this setting or don't configure it, the filter bar doesn't appear, but users can display it by selecting "Filter" on the "View" menu. -To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar doesn't appear above the resulting display, on the View menu, click Filter. +To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator". If the filter bar doesn't appear above the resulting display, on the View menu, click Filter. @@ -838,7 +838,9 @@ This policy setting hides the Properties menu command on the shortcut menu for t - If you enable this policy setting, the Properties menu command won't be displayed when the user does any of the following: Right-clicks the My Documents icon. + Clicks the My Documents icon, and then opens the File menu. + Clicks the My Documents icon, and then presses ALT+ENTER. - If you disable or don't configure this policy setting, the Properties menu command is displayed. @@ -1563,7 +1565,7 @@ If you enable this setting, users can't add or remove toolbars from the desktop. > If users have added or removed toolbars, this setting prevents them from restoring the default configuration. > [!TIP] -> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." +> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars". Also, see the "Prohibit adjusting desktop toolbars" setting. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 61e0d5e8c7..b1348a061e 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_DeviceGuard Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -41,7 +41,7 @@ ms.topic: reference -Deploy Windows Defender Application Control +Deploy Windows Defender Application Control. This policy setting lets you deploy a Code Integrity Policy to a machine to control what's allowed to run on that machine. diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index ffc46e0daf..d8e4b5055e 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_DiskQuota Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -53,7 +53,7 @@ To prevent users from changing the setting while a setting is in effect, the sys > This policy setting turns on disk quota management but doesn't establish or enforce a particular disk quota limit. To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. > [!NOTE] -> To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." +> To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management". @@ -111,6 +111,7 @@ To prevent users from changing the setting while a setting is in effect, the sys This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting. - If you enable this policy setting, disk quota limits are enforced. + - If you disable this policy setting, disk quota limits aren't enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators can't make changes while the setting is in effect. - If you don't configure this policy setting, the disk quota limit isn't enforced by default, but administrators can change the setting. @@ -245,6 +246,7 @@ This policy setting is effective only when disk quota management is enabled on t This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. - If you enable this policy setting, the system records an event when the user reaches their limit. + - If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators can't change the setting while a setting is in effect. - If you don't configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. @@ -312,6 +314,7 @@ Also, this policy setting doesn't affect the Quota Entries window on the Quota t This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. - If you enable this policy setting, the system records an event. + - If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators can't change logging while a policy setting is in effect. - If you don't configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index a05adfaa5a..f6c0d4debc 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_DnsClient Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -100,11 +100,11 @@ Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualifie Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. -A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. +A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com" is an example of a fully qualified name because it contains a terminating dot. For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list. -If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. +If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com" second if the first query fails. - If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. @@ -990,9 +990,9 @@ To specify the TTL, click Enabled and then enter a value in seconds (for example Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. -An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." +An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com". -Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." +Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com". To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. @@ -1239,7 +1239,7 @@ Only secure - computers send only secure dynamic updates. -Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." +Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com". By default, a DNS client that's configured to perform dynamic DNS update will update the DNS zone that's authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 8c8777e9ed..b0d3994734 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_ErrorReporting Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -169,7 +169,7 @@ To create a list of applications for which Windows Error Reporting never reports - If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. -If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) +If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category). - If you disable this policy setting or don't configure it, the Default application reporting settings policy setting takes precedence. diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index 3270f35b6e..b510d5bbff 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventForwarding Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -104,6 +104,7 @@ This policy setting allows you to configure the server address, refresh interval - If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. Use the following syntax when using the HTTPS protocol: + Server=https://``:5986/wsman/SubscriptionManager/WEC,Refresh=``,IssuerCA=``. When using the HTTP protocol, use port 5985. - If you disable or don't configure this policy setting, the Event Collector computer won't be specified. diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index bd89712c67..bf73c35e40 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_FileRevocation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,7 +42,8 @@ ms.topic: reference Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that's protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: -Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy + +Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy. - If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index e8e81ba85c..9e086acb53 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_FileSys Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -99,6 +99,7 @@ A reboot is required for this setting to take effect. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. + A value of 1 will disable delete notifications for all volumes. @@ -379,12 +380,15 @@ If you enable short names on all volumes then short names will always be generat Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: -Local Link to a Local Target -Local Link to a Remote Target -Remote Link to Remote Target -Remote Link to Local Target +Local Link to a Local Target. -For further information please refer to the Windows Help section +Local Link to a Remote Target. + +Remote Link to Remote Target. + +Remote Link to Local Target. + +For further information please refer to the Windows Help section. > [!NOTE] > If this policy is Disabled or Not Configured, local administrators may select the types of symbolic links to be evaluated. diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 70fc0069ba..07132d5d80 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Globalization Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -111,7 +111,9 @@ The policy setting "Restrict user locales" can also be enabled to disallow selec - If you disable or don't configure this policy setting, the user can select a custom locale as their user locale. - If this policy setting is enabled at the machine level, it can't be disabled by a per-user policy setting. + - If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. + - If this policy setting isn't configured at the machine level, restrictions will be based on per-user policy settings. To set this policy setting on a per-user basis, make sure that you don't configure the per-machine policy setting. @@ -180,7 +182,9 @@ The policy setting "Restrict user locales" can also be enabled to disallow selec - If you disable or don't configure this policy setting, the user can select a custom locale as their user locale. - If this policy setting is enabled at the machine level, it can't be disabled by a per-user policy setting. + - If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. + - If this policy setting isn't configured at the machine level, restrictions will be based on per-user policy settings. To set this policy setting on a per-user basis, make sure that you don't configure the per-machine policy setting. @@ -713,7 +717,9 @@ The locale list is specified using language tags, separated by a semicolon (;). - If you disable or don't configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - If this policy setting is enabled at the computer level, it can't be disabled by a per-user policy. + - If this policy setting is disabled at the computer level, the per-user policy is ignored. + - If this policy setting isn't configured at the computer level, restrictions are based on per-user policies. @@ -780,7 +786,9 @@ The locale list is specified using language tags, separated by a semicolon (;). - If you disable or don't configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - If this policy setting is enabled at the computer level, it can't be disabled by a per-user policy. + - If this policy setting is disabled at the computer level, the per-user policy is ignored. + - If this policy setting isn't configured at the computer level, restrictions are based on per-user policies. @@ -965,7 +973,9 @@ This policy setting prevents users from changing their user geographical locatio - If you disable or don't configure this policy setting, users may select any GeoID. - If you enable this policy setting at the computer level, it can't be disabled by a per-user policy setting. + - If you disable this policy setting at the computer level, the per-user policy is ignored. + - If you don't configure this policy setting at the computer level, restrictions are based on per-user policy settings. To set this policy setting on a per-user basis, make sure that the per-computer policy setting isn't configured. @@ -1030,7 +1040,9 @@ This policy setting prevents users from changing their user geographical locatio - If you disable or don't configure this policy setting, users may select any GeoID. - If you enable this policy setting at the computer level, it can't be disabled by a per-user policy setting. + - If you disable this policy setting at the computer level, the per-user policy is ignored. + - If you don't configure this policy setting at the computer level, restrictions are based on per-user policy settings. To set this policy setting on a per-user basis, make sure that the per-computer policy setting isn't configured. @@ -1097,7 +1109,9 @@ When this policy setting is enabled, users can still choose alternate locales in - If this policy setting is disabled or not configured, then the user can customize their user locale overrides. - If this policy is set to Enabled at the computer level, then it can't be disabled by a per-User policy. + - If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. + - If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. @@ -1164,7 +1178,9 @@ When this policy setting is enabled, users can still choose alternate locales in - If this policy setting is disabled or not configured, then the user can customize their user locale overrides. - If this policy is set to Enabled at the computer level, then it can't be disabled by a per-User policy. + - If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. + - If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index 58f02f82ae..e1d7e4f64b 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_GroupPolicy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -23,7 +23,7 @@ ms.topic: reference -##### AllowX/ForestPolicy/and/RUP +2 AllowX/ForestPolicy/and/RUP | Scope | Editions | Applicable OS | @@ -45,10 +45,13 @@ This policy setting affects all user accounts that interactively log on to a com - If you don't configure this policy setting: - - No user-based policy settings are applied from the user's forest. - - Users don't receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. - - Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. - - An event log message (1109) is posted, stating that loopback was invoked in Replace mode. +- No user-based policy settings are applied from the user's forest. + +- Users don't receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. + +- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. + +- An event log message (1109) is posted, stating that loopback was invoked in Replace mode. - If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. @@ -172,6 +175,7 @@ This policy setting affects all policy settings that use the software installati This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -237,6 +241,7 @@ This policy setting affects all policies that use the disk quota component of Gr This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -304,6 +309,7 @@ This policy setting affects all policies that use the encryption component of Gr It overrides customized settings that the program implementing the encryption policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -371,6 +377,7 @@ This policy setting affects all policies that use the folder redirection compone This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -436,6 +443,7 @@ This policy setting affects all policies that use the Internet Explorer Maintena This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -503,6 +511,7 @@ This policy setting affects all policies that use the IP security component of G This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -568,6 +577,7 @@ This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user logon or system restart. @@ -631,6 +641,7 @@ This policy setting determines when policies that assign shared scripts are upda This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -698,6 +709,7 @@ This policy setting affects all policies that use the security component of Grou This policy setting overrides customized settings that the program implementing the security policy set when it was installed. - If you enable this policy setting, you can use the check boxes provided to change the options. + - If you disable or don't configure this policy setting, it has no effect on the system. The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user logon or system restart. @@ -904,7 +916,7 @@ By default, interactively logged-on users can view their own Resultant Set of Po > This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. > [!NOTE] -> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. > [!NOTE] > This policy setting exists as both a User Configuration and Computer Configuration setting. @@ -976,7 +988,7 @@ By default, interactively logged-on users can view their own Resultant Set of Po > This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. > [!NOTE] -> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. > [!NOTE] > This policy setting exists as both a User Configuration and Computer Configuration setting. @@ -1411,13 +1423,13 @@ This policy setting determines whether the Windows device is allowed to particip This policy setting allows you to configure Group Policy caching behavior. -- If you enable or don't configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) +- If you enable or don't configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior). The slow link value that's defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout value that's defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. -- If you disable this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) +- If you disable this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior). @@ -1474,10 +1486,13 @@ The timeout value that's defined in this policy setting determines how long Grou This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. -- If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) +- If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior). + The slow link value that's defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. + The timeout value that's defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. -- If you disable or don't configure this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) + +- If you disable or don't configure this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior). @@ -1602,7 +1617,7 @@ A Group Policy administration (.adm) file can contain both true settings and pre - If you disable or don't configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. > [!NOTE] -> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." +> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View". In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. @@ -1726,7 +1741,7 @@ This policy setting determines which domain controller the Group Policy Object E - If you disable this setting or don't configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. > [!NOTE] -> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." +> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters". @@ -2394,7 +2409,7 @@ This leads to the following behavior: This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001) -Enables data execution prevention (DEP) for the child process +Enables data execution prevention (DEP) for the child process. PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. @@ -2410,6 +2425,7 @@ PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of: + ???????????????0???????1???????1 Setting flags not specified here to any value other than ? results in undefined behavior. @@ -2652,13 +2668,15 @@ When Group Policy detects the bandwidth speed of a Direct Access connection, the This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. - If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. -Client computers won't wait for the network to be fully initialized at startup and logon. Existing users will be logged-on using cached credentials, -which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. -Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection -and Drive Maps preference extension won't be applied. + +Client computers won't wait for the network to be fully initialized at startup and logon. Existing users will be logged-on using cached credentials, which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. + +Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection and Drive Maps preference extension won't be applied. Note There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: + 1 - At the first computer startup after the client computer has joined the domain. + 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. - If you disable or don't configure this policy setting, detecting a slow network connection won't affect whether Group Policy processing will be synchronous or asynchronous. diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index 8b83fbf9b0..d9bba74952 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_ICM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -850,7 +850,7 @@ Also see the "Configure Error Reporting", "Display Error Notification" and "Disa This policy setting allows you to remove access to Windows Update. -- If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at , from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. +- If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at , from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you'll neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. - If you disable or don't configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index eabc93b5ad..b886cd2b1a 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_IIS Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,7 +42,8 @@ ms.topic: reference "This policy setting prevents installation of Internet Information Services (IIS) on this computer. - If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you won't be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting. Enabling this setting won't have any effect on IIS if IIS is already installed on the computer. -- If you disable or don't configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." + +- If you disable or don't configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run". diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 7c67c906a2..e31c39dc28 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_kdc Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -52,13 +52,15 @@ If you configure the "Not supported" option, the domain controller doesn't suppo If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. -Domain functional level requirements +Domain functional level requirements. + For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and: - - If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages. +- If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). + +- If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages. > [!WARNING] > When "Fail unarmored authentication requests" is set, then client computers which don't support Kerberos armoring will fail to authenticate to the domain controller. @@ -67,9 +69,11 @@ To ensure this feature is effective, deploy enough domain controllers that suppo Impact on domain controller performance when this policy setting is enabled: - - Secure Kerberos domain capability discovery is required resulting in additional message exchanges. - - Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. - - Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but doesn't change the service ticket size. +- Secure Kerberos domain capability discovery is required resulting in additional message exchanges. + +- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. + +- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but doesn't change the service ticket size. diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 3a2249f9ea..51dfef0089 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -112,6 +112,7 @@ Automatic: Device will attempt to authenticate using its certificate. If the DC Force: Device will always authenticate using its certificate. If a DC can't be found which support computer account authentication using certificates then authentication will fail. - If you disable this policy setting, certificates will never be used. + - If you don't configure this policy setting, Automatic will be used. @@ -423,6 +424,7 @@ Automatic: Compound authentication is provided for this computer account when on Always: Compound authentication is always provided for this computer account. - If you disable this policy setting, Never will be used. + - If you don't configure this policy setting, Automatic will be used. diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 33edf55abc..b47f82b91f 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_LanmanServer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,14 +47,17 @@ If you enable this policy setting and don't specify at least one supported ciphe SMB 3.11 cipher suites: -AES_128_GCM -AES_128_CCM -AES_256_GCM -AES_256_CCM +AES_128_GCM. + +AES_128_CCM. + +AES_256_GCM. + +AES_256_CCM. SMB 3.0 and 3.02 cipher suites: -AES_128_CCM +AES_128_CCM. How to modify this setting: @@ -117,7 +120,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that's stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. -Policy configuration +Policy configuration. Select one of the following: @@ -191,7 +194,7 @@ This policy setting specifies whether the BranchCache hash generation service su If you specify only one version that's supported, content information for that version is the only type that's generated by BranchCache, and it's the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. -Policy configuration +Policy configuration. Select one of the following: diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 8d1cb9b196..f8be5837ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,14 +47,17 @@ If you enable this policy setting and don't specify at least one supported ciphe SMB 3.11 cipher suites: -AES_128_GCM -AES_128_CCM -AES_256_GCM -AES_256_CCM +AES_128_GCM. + +AES_128_CCM. + +AES_256_GCM. + +AES_256_CCM. SMB 3.0 and 3.02 cipher suites: -AES_128_CCM +AES_128_CCM. How to modify this setting: diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index f7be07c69a..772b105ff4 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,8 +47,9 @@ This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses This policy setting takes effect only under the following conditions: - - If the diagnostics-wide scenario execution policy isn't configured. - - When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. +- If the diagnostics-wide scenario execution policy isn't configured. + +- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. > [!NOTE] > The DPS can be configured with the Services snap-in to the Microsoft Management Console. diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 17891ec45a..398ad547da 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Logon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -101,6 +101,7 @@ This policy prevents the user from showing account details (email address or use This policy setting disables the acrylic blur effect on logon background image. - If you enable this policy, the logon background image shows without blur. + - If you disable or don't configure this policy, the logon background image adopts the acrylic blur effect. @@ -560,7 +561,7 @@ This setting applies only to Windows 2000 Professional. It doesn't affect the "C > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] -> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started". To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. @@ -629,7 +630,7 @@ This setting applies only to Windows 2000 Professional. It doesn't affect the "C > This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] -> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started". To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. @@ -826,15 +827,17 @@ On servers running Windows Server 2008 or later, this policy setting is ignored If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon: - - The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and - - The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. +- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and +- The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. If this configuration isn't implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). - If you disable or don't configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that's configured as described earlier, the computer typically doesn't wait for the network to be fully initialized. In this case, users are logged-on with cached credentials. Group Policy is applied asynchronously in the background. Note + -If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. + -If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 1684e792d2..461ddc2f70 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -166,12 +166,15 @@ Enabling or disabling this policy may lead to unexpected or unsupported behavior Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. Disabled (Default): + Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. Enabled: + Microsoft Defender won't exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios. Not configured: + Same as Disabled. @@ -228,13 +231,19 @@ Same as Disabled. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check won't occur, which will lower the protection state of the device. + Enabled - The Block at First Sight setting is turned on. + Disabled - The Block at First Sight setting is turned off. This feature requires these Group Policy settings to be set as follows: + MAPS -> The "Join Microsoft MAPS" must be enabled or the "Block at First Sight" feature won't function. + MAPS -> The "Send file samples when further analysis is required" should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature won't function. + Real-time Protection -> The "Scan all downloaded files and attachments" policy must be enabled or the "Block at First Sight" feature won't function. + Real-time Protection -> Don't enable the "Turn off real-time protection" policy or the "Block at First Sight" feature won't function. @@ -649,16 +658,20 @@ This policy setting allows you to disable real-time scanning for any file opened Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: + Specify the folders or files and resources that should be excluded from ASR rules in the Options section. + Enter each rule on a new line as a name-value pair: - - Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder - - Value column: Enter "0" for each item +- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder +- Value column: Enter "0" for each item. Disabled: + No exclusions will be applied to the ASR rules. Not configured: + Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. @@ -720,30 +733,33 @@ Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: - - Block: the rule will be applied - - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule won't actually be applied) - - Off: the rule won't be applied - - Not Configured: the rule is enabled with default values - - Warn: the rule will be applied and the end-user will have the option to bypass the block +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule won't actually be applied) +- Off: the rule won't be applied +- Not Configured: the rule is enabled with default values +- Warn: the rule will be applied and the end-user will have the option to bypass the block. Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules with the value of not configured. Enabled: + Specify the state for each ASR rule under the Options section for this setting. + Enter each rule on a new line as a name-value pair: - - Name column: Enter a valid ASR rule ID - - Value column: Enter the status ID that relates to state you want to specify for the associated rule +- Name column: Enter a valid ASR rule ID +- Value column: Enter the status ID that relates to state you want to specify for the associated rule. The following status IDs are permitted under the value column: - - 1 (Block) - - 0 (Off) - - 2 (Audit) - - 5 (Not Configured) - - 6 (Warn) +- 1 (Block) +- 0 (Off) +- 2 (Audit) +- 5 (Not Configured) +- 6 (Warn) Example: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx @@ -752,9 +768,11 @@ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: + No ASR rules will be configured. Not configured: + Same as Disabled. You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. @@ -819,12 +837,15 @@ These applications are allowed to modify or delete files in controlled folder ac Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled: + Specify additional allowed applications in the Options section.. Disabled: + No additional applications will be added to the trusted list. Not configured: + Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. @@ -889,15 +910,19 @@ Specify additional folders that should be guarded by the Controlled folder acces Files in these folders can't be modified or deleted by untrusted applications. Default system folders are automatically protected. You can configure this setting to add additional folders. + The list of default system folders that are protected is shown in Windows Security. Enabled: + Specify additional folders that should be protected in the Options section. Disabled: + No additional folders will be protected. Not configured: + Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. @@ -960,12 +985,15 @@ Microsoft Defender Antivirus automatically determines which applications can be Enable or disable file hash computation feature. Enabled: + When this feature is enabled Microsoft Defender will compute hash value for files it scans. Disabled: -File hash value isn't computed + +File hash value isn't computed. Not configured: + Same as Disabled. @@ -1258,9 +1286,9 @@ This policy setting defines the URL of a proxy .pac file that should be used whe 2. Proxy .pac URL (if specified) 3. None -4. Internet Explorer proxy settings +4. Internet Explorer proxy settings. -5. Autodetect +5. Autodetect. - If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. @@ -1324,9 +1352,9 @@ This policy setting allows you to configure the named proxy that should be used 2. Proxy .pac URL (if specified) 3. None -4. Internet Explorer proxy settings +4. Internet Explorer proxy settings. -5. Autodetect +5. Autodetect. - If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either https:// or https://. @@ -2280,15 +2308,8 @@ This policy setting configures a local override for the configuration of the tim This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: -(0x0) Every Day -(0x1) Sunday -(0x2) Monday -(0x3) Tuesday -(0x4) Wednesday -(0x5) Thursday -(0x6) Friday -(0x7) Saturday -(0x8) Never (default) + +(0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) - If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. @@ -2802,7 +2823,9 @@ This policy configures Windows software trace preprocessor (WPP Software Tracing This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). + Tracing levels are defined as: + 1 - Error 2 - Warning 3 - Info @@ -4155,15 +4178,8 @@ This policy setting allows you to configure scheduled scans to start only when y This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: -(0x0) Every Day -(0x1) Sunday -(0x2) Monday -(0x3) Tuesday -(0x4) Wednesday -(0x5) Thursday -(0x6) Friday -(0x7) Saturday -(0x8) Never (default) + +(0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) - If you enable this setting, a scheduled scan will run at the frequency specified. @@ -4693,7 +4709,7 @@ This policy setting allows you to configure security intelligence updates on sta -This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares". For Example: `{ InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }` @@ -4874,15 +4890,9 @@ This policy setting allows you to enable real-time security intelligence updates This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: + (0x0) Every Day (default) -(0x1) Sunday -(0x2) Monday -(0x3) Tuesday -(0x4) Wednesday -(0x5) Thursday -(0x6) Friday -(0x7) Saturday -(0x8) Never +(0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never. - If you enable this setting, the check for security intelligence updates will occur at the frequency specified. @@ -5297,15 +5307,15 @@ This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the onl You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft won't use this information to identify you or contact you. Possible options are: + (0x0) Disabled (default) -(0x1) Basic membership -(0x2) Advanced membership +(0x1) Basic membership (0x2) Advanced membership. Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. -- If you enable this setting, you will join Microsoft MAPS with the membership specified. +- If you enable this setting, you'll join Microsoft MAPS with the membership specified. - If you disable or don't configure this setting, you won't join Microsoft MAPS. @@ -5367,6 +5377,7 @@ In Windows 10, Basic membership is no longer available, so setting the value to This policy setting customize which remediation action will be taken for each listed Threat ID when it's detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. Valid remediation action values are: + 2 = Quarantine 3 = Remove 6 = Ignore. @@ -5483,6 +5494,7 @@ This policy setting allows you to configure whether or not to display additional Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. + - If you disable or don't configure this setting, Microsoft Defender Antivirus notifications will display on clients. - If you enable this setting, Microsoft Defender Antivirus notifications won't display on clients. @@ -5602,6 +5614,7 @@ If you enable this setting AM UI won't show reboot notifications. This policy setting allows you to configure whether or not to display AM UI to the users. + If you enable this setting AM UI won't be available to users. diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index b5fa5e65bd..37c2d9166e 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_MMCSnapins Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -48,9 +48,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -117,9 +119,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -186,9 +190,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -255,9 +261,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -324,9 +332,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -393,9 +403,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -462,9 +474,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -531,9 +545,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -600,9 +616,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -669,9 +687,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -738,9 +758,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -807,9 +829,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -876,9 +900,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -945,9 +971,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1014,9 +1042,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1083,9 +1113,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1152,9 +1184,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1221,9 +1255,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1290,9 +1326,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1359,9 +1397,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1428,9 +1468,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1497,9 +1539,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1566,9 +1610,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1635,9 +1681,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1704,9 +1752,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1773,9 +1823,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1842,9 +1894,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1911,9 +1965,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -1980,9 +2036,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2049,9 +2107,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2118,9 +2178,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2187,9 +2249,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2256,9 +2320,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2325,9 +2391,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2394,9 +2462,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2463,9 +2533,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2601,9 +2673,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2670,9 +2744,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2739,9 +2815,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2808,9 +2886,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2877,9 +2957,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -2946,9 +3028,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3015,9 +3099,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3084,9 +3170,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3153,9 +3241,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3222,9 +3312,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3291,9 +3383,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3360,9 +3454,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3429,9 +3525,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3498,9 +3596,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3567,9 +3667,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3636,9 +3738,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3705,9 +3809,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3774,9 +3880,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3843,9 +3951,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3912,9 +4022,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -3981,9 +4093,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4050,9 +4164,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4119,9 +4235,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4188,9 +4306,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4257,9 +4377,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4326,9 +4448,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4395,9 +4519,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4464,9 +4590,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4533,9 +4661,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4602,9 +4732,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4671,9 +4803,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4740,9 +4874,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4809,9 +4945,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4878,9 +5016,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -4947,9 +5087,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5016,9 +5158,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5085,9 +5229,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5154,9 +5300,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5223,9 +5371,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5292,9 +5442,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5361,9 +5513,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5430,9 +5584,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5499,9 +5655,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5568,9 +5726,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5637,9 +5797,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5706,9 +5868,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5775,9 +5939,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5844,9 +6010,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5913,9 +6081,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -5982,9 +6152,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6051,9 +6223,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6120,9 +6294,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6189,9 +6365,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6258,9 +6436,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6327,9 +6507,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6396,9 +6578,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6465,9 +6649,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6534,9 +6720,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6603,9 +6791,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6672,9 +6862,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6741,9 +6933,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6810,9 +7004,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6879,9 +7075,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -6948,9 +7146,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -7017,9 +7217,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -7086,9 +7288,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. @@ -7155,9 +7359,11 @@ This policy setting permits or prohibits the use of this snap-in. - If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. + - If this policy setting isn't configured or disabled, this snap-in is prohibited. - If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. + - If this policy setting isn't configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 9de24482ba..2be7fd3549 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSAPolicy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,9 +42,13 @@ ms.topic: reference This setting controls whether users can provide Microsoft accounts for authentication for applications or services. - If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. + This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user won't be affected by enabling this setting until the authentication cache expires. + It's recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. + - If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. + By default, this setting is Disabled. This setting doesn't affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index f0e2bda261..a422431082 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_msched Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -41,7 +41,7 @@ ms.topic: reference This policy setting allows you to configure Automatic Maintenance activation boundary. -The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts +The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts. - If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index f59500cda3..c8e0918d6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSI Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -914,7 +914,7 @@ This policy setting should be used if you need to maintain a tight control over - If you enable this policy setting, updates can't be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that's no longer applicable to the product. -- If you disable or don't configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." +- If you disable or don't configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context". @@ -1091,9 +1091,11 @@ This policy setting causes the Windows Installer to enforce strict rules for com - If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: (1) Remove a component from a feature. + This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. (2) Add a new feature to the top or middle of an existing feature tree. + The new feature must be added as a new leaf feature to an existing feature tree. - If you disable or don't configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. @@ -1280,7 +1282,7 @@ When you enable this policy setting, you can specify the types of events you wan To disable logging, delete all of the letters from the box. -If you disable or don't configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." +If you disable or don't configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap". diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index be96a03888..b94826a3c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_nca Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,11 +45,11 @@ Each string can be one of the following types: - A DNS name or IPv6 address that NCA pings. The syntax is "PING:" followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1. -Note +Note. We recommend that you use FQDNs instead of IPv6 addresses wherever possible. -Important +Important. At least one of the entries must be a PING: resource. @@ -289,7 +289,8 @@ The ability to disconnect allows users to specify single-label, unqualified name To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect. -Note +Note. + If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT. If this setting isn't configured, users don't have Connect or Disconnect options. diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 4b36e599a7..13d24d1bfc 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Netlogon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,9 @@ Domain controllers use the client IP address during a DC locator ping request to The allowable values for this setting result in the following behaviors: 0 - DCs will never perform address lookups. + 1 - DCs will perform an exhaustive address lookup to discover additional client IP addresses. + 2 - DCs will perform a fast, DNS-only address lookup to discover additional client IP addresses. To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2. @@ -1789,6 +1791,7 @@ When an environment has a large number of DCs running both old and new operating The allowable values for this setting result in the following behaviors: 1 - Computers will ping DCs at the normal frequency. + 2 - Computers will ping DCs at the higher frequency. To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2. diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index 74731224b1..8eb1fd9ec5 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_NetworkConnections Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -326,7 +326,7 @@ To create an all-user remote access connection, on the Connection Availability p - If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. -- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) can't delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) can't delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting). > [!IMPORTANT] > If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. @@ -402,7 +402,7 @@ Determines whether users can delete remote access connections. > [!IMPORTANT] > If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. -- If you disable this setting or don't configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) +- If you disable this setting or don't configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting). > [!IMPORTANT] > When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users can't delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. @@ -1147,6 +1147,7 @@ This setting determines whether the Properties menu item is enabled, and thus, w > [!NOTE] > This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. + - If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. > [!NOTE] @@ -1427,7 +1428,7 @@ To create an all-user connection, on the Connection Availability page in the New - If you don't configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. > [!NOTE] -> This setting doesn't apply to Administrators +> This setting doesn't apply to Administrators. > [!NOTE] > When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting doesn't apply. @@ -1564,7 +1565,7 @@ Determines whether nonadministrators can rename a LAN connection. - If you disable this setting, the Rename option is disabled for nonadministrators only. -- If you don't configure this setting, only Administrators and Network Configuration Operators can rename LAN connections +- If you don't configure this setting, only Administrators and Network Configuration Operators can rename LAN connections. > [!NOTE] > This setting doesn't apply to Administrators. @@ -1698,7 +1699,7 @@ ICS lets administrators configure their system as an Internet gateway for a smal - If you enable this setting, ICS can't be enabled or configured by administrators, and the ICS service can't run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. -- If you disable this setting or don't configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) +- If you disable this setting or don't configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional). By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 3bf4a9faf6..56b4c9a621 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -878,7 +878,7 @@ This policy setting enables administrators to block certain file types from bein Lists types of files that can't be used offline. -This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system doesn't cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type can't be made available offline." +This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system doesn't cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type can't be made available offline". This setting is designed to protect files that can't be separated, such as database components. @@ -1094,7 +1094,7 @@ This setting doesn't prevent users from working offline or from saving local cop This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] -> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." +> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files". @@ -1158,7 +1158,7 @@ This setting doesn't prevent users from working offline or from saving local cop This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. > [!TIP] -> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." +> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files". @@ -1485,7 +1485,7 @@ This policy setting appears in the Computer Configuration and User Configuration The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. +This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching". It only affects the display of the "Make Available Offline" command in File Explorer. If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. @@ -1555,7 +1555,7 @@ This policy setting appears in the Computer Configuration and User Configuration The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. +This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching". It only affects the display of the "Make Available Offline" command in File Explorer. If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. @@ -1621,7 +1621,7 @@ If you disable the setting, the system displays the reminder balloons and preven If this setting isn't configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. -To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. @@ -1691,7 +1691,7 @@ If you disable the setting, the system displays the reminder balloons and preven If this setting isn't configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. -To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index bcc762bc18..c7a0b84a44 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -41,13 +41,13 @@ ms.topic: reference This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: -- Set BranchCache Distributed Cache mode +- Set BranchCache Distributed Cache mode. -- Set BranchCache Hosted Cache mode +- Set BranchCache Hosted Cache mode. -- Configure Hosted Cache Servers +- Configure Hosted Cache Servers. -Policy configuration +Policy configuration. Select one of the following: @@ -116,7 +116,7 @@ This policy setting specifies whether BranchCache distributed cache mode is enab In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. -Policy configuration +Policy configuration. Select one of the following: @@ -185,7 +185,7 @@ This policy setting specifies whether BranchCache hosted cache mode is enabled o When a client computer is configured as a hosted cache mode client, it's able to download cached content from a hosted cache server that's located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. -Policy configuration +Policy configuration. Select one of the following: @@ -271,7 +271,7 @@ This policy setting can only be applied to client computers that are running at If you disable, or don't configure this setting, a client won't attempt to discover hosted cache servers by service connection point. -Policy configuration +Policy configuration. Select one of the following: @@ -338,17 +338,17 @@ This policy setting specifies whether client computers are configured to use hos - If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. -This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and don't use the hosted cache server that's configured in the policy setting "Set BranchCache Hosted Cache Mode." +This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and don't use the hosted cache server that's configured in the policy setting "Set BranchCache Hosted Cache Mode". - If you don't configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. -Policy configuration +Policy configuration. Select one of the following: - Not Configured. With this selection, BranchCache settings aren't applied to client computers by this policy setting. -- Enabled. With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers." +- Enabled. With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers". - Disabled. With this selection, this policy isn't applied to client computers. @@ -410,7 +410,7 @@ In circumstances where this setting is enabled, you can also select and configur This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients don't cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. -Policy configuration +Policy configuration. Select one of the following: @@ -482,7 +482,7 @@ This policy setting specifies the default percentage of total disk space that's - If you disable or don't configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer. -Policy configuration +Policy configuration. Select one of the following: @@ -556,7 +556,7 @@ This policy setting specifies the default age in days for which segments are val - If you disable or don't configure this policy setting, the age is set to 28 days. -Policy configuration +Policy configuration. Select one of the following: @@ -624,11 +624,11 @@ In circumstances where this setting is enabled, you can also select and configur This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers don't use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. -- If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." +- If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions". - If you don't configure this setting, all clients will use the version of BranchCache that matches their operating system. -Policy configuration +Policy configuration. Select one of the following: @@ -640,7 +640,7 @@ Select one of the following: In circumstances where this setting is enabled, you can also select and configure the following option: -Select from the following versions +Select from the following versions. - Windows Vista with BITS 4.0 installed, Windows 7, or Windows Server 2008 R2. If you select this version, later versions of Windows run the version of BranchCache that's included in these operating systems rather than later versions of BranchCache. diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index 1aed06c040..70d0eda39d 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Power Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -165,7 +165,7 @@ This policy setting specifies the action that Windows takes when a user presses -Sleep -Hibernate --Shut down +-Shut down. - If you disable this policy or don't configure this policy setting, users control this setting. @@ -522,7 +522,7 @@ This policy setting specifies the action that Windows takes when battery capacit -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you disable or don't configure this policy setting, users control this setting. @@ -585,7 +585,7 @@ This policy setting specifies the action that Windows takes when battery capacit -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you disable or don't configure this policy setting, users control this setting. @@ -948,7 +948,7 @@ This policy setting specifies the action that Windows takes when a user presses -Sleep -Hibernate --Shut down +-Shut down. - If you disable this policy or don't configure this policy setting, users control this setting. diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index e251901957..1fe9516c0a 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -126,9 +126,9 @@ The "Allow all scripts" policy setting allows all scripts to run. - If you disable this policy setting, no scripts are allowed to run. > [!NOTE] -> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." +> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration". -- If you disable or don't configure this policy setting, it reverts to a per-machine preference setting; the default if that isn't configured is "No scripts allowed." +- If you disable or don't configure this policy setting, it reverts to a per-machine preference setting; the default if that isn't configured is "No scripts allowed". @@ -189,16 +189,11 @@ The "Allow all scripts" policy setting allows all scripts to run. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. -- If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other -applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents -directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent -to calling the Start-Transcript cmdlet on each Windows PowerShell session. +- If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. -- If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled -through the Start-Transcript cmdlet. +- If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet. -If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users -from viewing the transcripts of other users or computers. +If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers. > [!NOTE] > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index fee31ca2ce..8080b412ee 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Printing Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -116,7 +116,9 @@ Not all applications support driver isolation. By default, Microsoft Excel 2007, Note: -This policy setting applies only to applications opted into isolation. + -This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler aren't affected. + -This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. @@ -179,7 +181,7 @@ By default, the Printers folder includes a link to the Microsoft Support Web pag - If you disable this setting or don't configure it, or if you don't enter an alternate Internet address, the default link will appear in the Printers folder. > [!NOTE] -> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.") +> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders"). Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. @@ -238,11 +240,12 @@ Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Opt -- If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) +- If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network). - If this policy setting is disabled, the network scan page won't be displayed. - If this policy setting isn't configured, the Add Printer wizard will display the default number of printers of each type: + Directory printers: 20 TCP/IP printers: 0 Web Services printers: 0 @@ -319,6 +322,7 @@ This policy setting allows you to manage where client computers search for Point - If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it's unable to find a compatible driver, then the Point and Print connection will fail. This policy setting isn't configured by default, and the behavior depends on the version of Windows that you are using. + By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. @@ -573,7 +577,7 @@ If you enable this setting and type an Internet or intranet address in the text This setting makes it easy for users to find the printers you want them to add. -Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." +Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers". @@ -873,11 +877,12 @@ This setting doesn't prevent users from running other programs to delete a print -This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer isn't able to reach a domain controller, e.g. a domain-joined laptop on a home network.) +This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer isn't able to reach a domain controller, e.g. a domain-joined laptop on a home network). - If this setting is disabled, the network scan page won't be displayed. If this setting isn't configured, the Add Printer wizard will display the default number of printers of each type: + TCP/IP printers: 50 Web Services printers: 50 Bluetooth printers: 10 @@ -1321,7 +1326,9 @@ This policy setting determines whether the print spooler will execute print driv Note: -Other system or driver policy settings may alter the process in which a print driver is executed. + -This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications aren't affected. + -This policy setting takes effect without restarting the print spooler service. @@ -1386,7 +1393,9 @@ This policy setting determines whether the print spooler will override the Drive Note: -Other system or driver policy settings may alter the process in which a print driver is executed. + -This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications aren't affected. + -This policy setting takes effect without restarting the print spooler service. diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 18f786321f..e08ad665f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Reliability Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -236,9 +236,9 @@ The Shutdown Event Tracker can be displayed when you shut down a workstation or - If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. -- If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.) +- If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions). -- If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) +- If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions). - If you disable this policy setting, the Shutdown Event Tracker isn't displayed when you shut down the computer. diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 9fedc83d9d..1c36430a8b 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -109,14 +109,14 @@ For example: "Turn off background" will include the following optimizations: -No full window drag --Turn off background +-Turn off background. "Full optimization" will include the following optimizations: -Use 16-bit color (8-bit color in Windows Vista) -Turn off font smoothing (not supported in Windows Vista) -No full window drag --Turn off background +-Turn off background. - If you enable this policy setting, bandwidth optimization occurs at the level specified. diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index d3d244b264..9dd1fd7618 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_RemovableStorage Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1232,7 +1232,7 @@ This policy setting denies write access to removable disks. - If you disable or don't configure this policy setting, write access is allowed to this removable storage class. > [!NOTE] -> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives". diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 659311557d..b00d4f7d27 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_sdiageng Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,7 +39,7 @@ ms.topic: reference -This policy setting allows users who are connected to the Internet to access and search troubleshooting content that's hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they're prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +This policy setting allows users who are connected to the Internet to access and search troubleshooting content that's hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they're prompted by a message that states, "Do you want the most up-to-date troubleshooting content?". - If you enable or don't configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that's hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index 8e864a9933..f662948db4 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_ServerManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -230,6 +230,7 @@ This policy setting allows you to set the refresh interval for Server Manager. E - If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the "Configure Refresh Interval" setting (in Windows Server 2008 and Windows Server 2008 R2), or the "Refresh the data shown in Server Manager every [x] [minutes/hours/days]" setting (in Windows Server 2012) that's configured in the Server Manager console. - If you disable this policy setting, Server Manager doesn't refresh automatically. + - If you don't configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. > [!NOTE] diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 53fd4aca87..61db310b5f 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Smartcard Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,9 +45,9 @@ In versions of Windows prior to Windows Vista, smart card certificates that are - If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card: - - Certificates with no EKU - - Certificates with an All Purpose EKU - - Certificates with a Client Authentication EKU +- Certificates with no EKU +- Certificates with an All Purpose EKU +- Certificates with a Client Authentication EKU. - If you disable or don't configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. @@ -347,6 +347,7 @@ This policy setting allows you to manage the certificate propagation that occurs This policy setting allows you to manage the clean up behavior of root certificates. - If you enable this policy setting then root certificate cleanup will occur according to the option selected. + - If you disable or don't configure this setting then root certificate clean up will occur on log off. @@ -470,7 +471,7 @@ This policy setting prevents plaintext PINs from being returned by Credential Ma - If you disable or don't configure this policy setting, plaintext PINs can be returned by Credential Manager. > [!NOTE] -> Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. +> Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you'll be affected by this policy setting. @@ -597,7 +598,7 @@ During the certificate renewal period, a user can have multiple valid logon cert If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that's used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown. > [!NOTE] -> This setting will be applied after the following policy: "Allow time invalid certificates" +> This setting will be applied after the following policy: "Allow time invalid certificates". - If you enable or don't configure this policy setting, filtering will take place. @@ -780,7 +781,7 @@ This policy setting allows you to manage the displayed message when a smart card This policy setting lets you reverse the subject name from how it's stored in the certificate when displaying it during logon. -By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN isn't present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. +By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com". If the UPN isn't present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. If you enable this policy setting or don't configure this setting, then the subject name will be reversed. diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 3d6e41a3f1..c72a1ae49c 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_StartMenu Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -847,9 +847,9 @@ Enabling this setting adds a check box to the Run dialog box, giving users the o -This setting affects the notification area, also called the "system tray." +This setting affects the notification area, also called the "system tray". -The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron." +The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron". - If you enable this setting, the system notification area expands to show all of the notifications that use this area. @@ -977,9 +977,9 @@ When you hold the cursor over an item on the Start menu or in the notification a This policy setting allows you to prevent users from changing their Start screen layout. -- If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. +- If you enable this setting, you'll prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. -- If you disable or don't configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. +- If you disable or don't configure this setting, you'll allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. @@ -3947,6 +3947,7 @@ This policy setting shows or hides the "Run as different user" command on the St - If you enable this setting, the Run command is added to the Start menu. + - If you disable or don't configure this setting, the Run command isn't visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md index 730f255949..89ec7e937f 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -559,17 +559,17 @@ Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low." At this setting, all password security settings are turned off. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low". At this setting, all password security settings are turned off. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose "High" from the drop-down box, password security is set to "High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "High" from the drop-down box, password security is set to "High". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you disable this policy, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, password security is set to "Medium-High". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. - If you don't configure this policy, password security is set to "Medium-High" by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. @@ -633,17 +633,17 @@ Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low." At this setting, all password security settings are turned off. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low". At this setting, all password security settings are turned off. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel displays the cursor and which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you enable this policy and choose "High" from the drop-down box, password security is set to "High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "High" from the drop-down box, password security is set to "High". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching isn't allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. -- If you disable this policy, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, password security is set to "Medium-High". At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users won't be able to configure this setting in the Input Panel Options dialog box. - If you don't configure this policy, password security is set to "Medium-High" by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel doesn't display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index d54533ae26..065e07cce1 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_TabletShell Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -287,7 +287,7 @@ Prevents printing to Journal Note Writer. - If you enable this policy, the Journal Note Writer printer driver won't allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. -- If you disable this policy, you will be able to use this feature to print to a Journal Note. +- If you disable this policy, you'll be able to use this feature to print to a Journal Note. - If you don't configure this policy, users will be able to use this feature to print to a Journal Note. @@ -348,7 +348,7 @@ Prevents printing to Journal Note Writer. - If you enable this policy, the Journal Note Writer printer driver won't allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. -- If you disable this policy, you will be able to use this feature to print to a Journal Note. +- If you disable this policy, you'll be able to use this feature to print to a Journal Note. - If you don't configure this policy, users will be able to use this feature to print to a Journal Note. @@ -1009,7 +1009,7 @@ Prevents the user from launching an application from a Tablet PC hardware button Prevents press and hold actions on hardware buttons, so that only one action is available per button. -- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." +- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator". - If you disable this policy, press and hold actions for buttons will be available. @@ -1070,7 +1070,7 @@ Prevents press and hold actions on hardware buttons, so that only one action is Prevents press and hold actions on hardware buttons, so that only one action is available per button. -- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." +- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator". - If you disable this policy, press and hold actions for buttons will be available. diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index e4a26b95e9..b532bdadd9 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_tcpip Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -282,7 +282,7 @@ This policy setting allows you to configure IP-HTTPS, a tunneling technology tha - If you disable or don't configure this policy setting, the local host settings are used. -- If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings: +- If you enable this policy setting, you can specify an IP-HTTPS server URL. You'll be able to configure IP-HTTPS with one of the following settings: Policy Default State: The IP-HTTPS interface is used when there are no other connectivity options. @@ -707,7 +707,7 @@ This policy setting allows you to configure Teredo, an address assignment and au - If you enable this policy setting, you can configure Teredo with one of the following settings: -Default: The default state is "Client." +Default: The default state is "Client". Disabled: No Teredo interfaces are present on the host. diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index b62a8729ca..a372de4237 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -234,6 +234,7 @@ This policy setting allows you to specify whether users can run Remote Desktop P > [!NOTE] > You can define this policy setting in the Computer Configuration node or in the User Configuration node. + - If you configure this policy setting for the computer, all users on the computer are affected. @@ -297,6 +298,7 @@ This policy setting allows you to specify whether users can run Remote Desktop P > [!NOTE] > You can define this policy setting in the Computer Configuration node or in the User Configuration node. + - If you configure this policy setting for the computer, all users on the computer are affected. @@ -471,6 +473,7 @@ This policy setting allows you to specify whether users can run unsigned Remote This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session. + Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. By default, audio and video playback redirection isn't allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. @@ -535,6 +538,7 @@ By default, audio and video playback redirection isn't allowed when connecting t This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. + Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an audio input device on the local computer, such as a built-in microphone. By default, audio recording redirection isn't allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. @@ -849,7 +853,7 @@ By default, Remote Desktop Services automatically designates the client default -This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. +This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you'll know that there are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. @@ -1033,6 +1037,7 @@ By default, Remote Desktop Services doesn't allow redirection of supported Plug - If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. - If you enable this policy setting, users can't redirect their supported Plug and Play devices to the remote computer. + - If you don't configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it's running Windows Server 2012 R2 and earlier versions. > [!NOTE] @@ -1163,6 +1168,7 @@ This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. + - If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. @@ -1230,6 +1236,7 @@ This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. + - If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. @@ -1358,12 +1365,12 @@ You can use this policy setting to set a limit on the color depth of any connect Note: 1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. + 2. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. 3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: -a. Value specified by this policy setting -b. Maximum color depth supported by the client -c. Value requested by the client + +a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client. If the client doesn't support at least 16 bits, the connection is terminated. @@ -2816,7 +2823,7 @@ A license server attempts to provide the most appropriate RDS or TS CAL for a co By default, if the most appropriate RDS CAL isn't available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following: * A client connecting to a Windows Server 2003 terminal server -* A client connecting to a Windows 2000 terminal server +* A client connecting to a Windows 2000 terminal server. - If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server isn't available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client won't be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server hasn't expired. @@ -3065,9 +3072,11 @@ By default, when a new user signs in to a computer, the Start screen is shown an - If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. + 2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. 3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. + 4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. @@ -3130,9 +3139,11 @@ By default, when a new user signs in to a computer, the Start screen is shown an - If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. + 2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. 3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. + 4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. @@ -3580,7 +3591,7 @@ This policy setting allows you to specify which protocols can be used for Remote - If you enable this policy setting, you must specify if you would like RDP to use UDP. -You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" +You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)". If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. @@ -3944,6 +3955,7 @@ This policy setting allows you to specify the visual quality for remote users wh - If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. - If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data isn't impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. + - If you disable or don't configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. @@ -4001,6 +4013,7 @@ This policy setting allows you to specify the visual quality for remote users wh This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. - If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. + - If you disable or don't configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec won't be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and doesn't affect clients that are using other RDP versions. @@ -4061,11 +4074,11 @@ This policy setting allows the administrator to configure the RemoteFX experienc - If you enable this policy setting, the RemoteFX experience could be set to one of the following options: 1. Let the system choose the experience for the network condition -2. Optimize for server scalability +2. Optimize for server scalability. -3. Optimize for minimum bandwidth usage +3. Optimize for minimum bandwidth usage. -- If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." +- If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition". @@ -4891,7 +4904,7 @@ To use this setting, in Program path and file name, type the fully qualified pat If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. -If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting). > [!NOTE] > This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. @@ -4959,7 +4972,7 @@ To use this setting, in Program path and file name, type the fully qualified pat If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. -If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting). > [!NOTE] > This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. @@ -5663,6 +5676,7 @@ To configure this policy setting, type the path to the network share in the form Note: 1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. + 2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 9c2c38224e..a0905b6d96 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_TouchInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,7 +39,8 @@ ms.topic: reference -Turn off Panning +Turn off Panning. + Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. - If you enable this setting, the user won't be able to pan windows by touch. @@ -104,7 +105,8 @@ Turns off touch panning, which allows users pan inside windows by touch. On a co -Turn off Panning +Turn off Panning. + Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. - If you enable this setting, the user won't be able to pan windows by touch. @@ -169,7 +171,7 @@ Turns off touch panning, which allows users pan inside windows by touch. On a co -Turn off Tablet PC touch input +Turn off Tablet PC touch input. Turns off touch input, which allows the user to interact with their computer using their finger. @@ -235,7 +237,7 @@ Turns off touch input, which allows the user to interact with their computer usi -Turn off Tablet PC touch input +Turn off Tablet PC touch input. Turns off touch input, which allows the user to interact with their computer using their finger. diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index f0a248a97d..93388ebc6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_UserExperienceVirtualization Area in Poli author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,10 +44,13 @@ ms.topic: reference This policy setting configures the synchronization of user settings of Calculator. + By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. - If you enable this policy setting, the Calculator user settings continue to synchronize. + - If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -108,10 +111,15 @@ By default, the user settings of Calculator synchronize between computers. Use t This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users' computers. With Sync Method set to "SyncProvider," the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. + When SyncMethod is set to "None," the UE-V Agent uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. + Set SyncMethod to "External" when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users' computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. + With notifications enabled, UE-V users receive a message when the settings sync is delayed. The notification delay policy setting defines the delay before a notification appears. + - If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. + - If you don't configure this policy setting, any defined values will be deleted. @@ -173,7 +181,9 @@ With notifications enabled, UE-V users receive a message when the settings sync This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to "last-known-good" configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. - If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. + - If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. + - If you don't configure this policy, no UE-V rollback state is copied to the settings storage location. @@ -232,7 +242,9 @@ This policy setting configures the synchronization of User Experience Virtualiza This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. - If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. + - If you disable this policy setting, the Company Settings Center doesn't display an IT Contact link. + - If you don't configure this policy setting, any defined values will be deleted. @@ -290,7 +302,9 @@ This policy setting specifies the text of the Contact IT URL hyperlink in the Co This policy setting specifies the URL for the Contact IT link in the Company Settings Center. - If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. + - If you disable this policy setting, the Company Settings Center doesn't display an IT Contact link. + - If you don't configure this policy setting, any defined values will be deleted. @@ -350,10 +364,13 @@ This policy setting specifies the URL for the Contact IT link in the Company Set This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. + By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. - If you enable this policy setting, the UE-V Agent won't synchronize settings for Windows apps. + - If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. + - If you don't configure this policy setting, any defined values are deleted. > [!NOTE] @@ -417,10 +434,13 @@ By default, the UE-V Agent synchronizes settings for Windows apps between the co This policy setting configures the synchronization of Windows settings between computers. + Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. - If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. + - If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -535,10 +555,13 @@ This policy setting allows you to enable or disable User Experience Virtualizati This policy setting configures the synchronization of user settings for the Finance app. + By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. - If you enable this policy setting, Finance user settings continue to sync. + - If you disable this policy setting, Finance user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -595,9 +618,13 @@ By default, the user settings of Finance sync between computers. Use the policy This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. + By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. + With this setting enabled, the notification appears the first time that the UE-V Agent runs. + With this setting disabled, no notification appears. + If you don't configure this policy setting, any defined values are deleted. @@ -658,10 +685,13 @@ If you don't configure this policy setting, any defined values are deleted. This policy setting configures the synchronization of user settings for the Games app. + By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. - If you enable this policy setting, Games user settings continue to sync. + - If you disable this policy setting, Games user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -722,10 +752,13 @@ By default, the user settings of Games sync between computers. Use the policy se This policy setting configures the synchronization of user settings of Internet Explorer 10. + By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. - If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. + - If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -786,10 +819,13 @@ By default, the user settings of Internet Explorer 10 synchronize between comput This policy setting configures the synchronization of user settings of Internet Explorer 11. + By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. - If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. + - If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -850,10 +886,13 @@ By default, the user settings of Internet Explorer 11 synchronize between comput This policy setting configures the synchronization of user settings for Internet Explorer 8. + By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. - If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. + - If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -914,10 +953,13 @@ By default, the user settings of Internet Explorer 8 synchronize between compute This policy setting configures the synchronization of user settings for Internet Explorer 9. + By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. - If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. + - If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -978,10 +1020,13 @@ By default, the user settings of Internet Explorer 9 synchronize between compute This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. + By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. - If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. + - If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting shouldn't be disabled. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1041,10 +1086,13 @@ By default, the user settings which are common between the versions of Internet This policy setting configures the synchronization of user settings for the Maps app. + By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. - If you enable this policy setting, Maps user settings continue to sync. + - If you disable this policy setting, Maps user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1107,6 +1155,7 @@ By default, the user settings of Maps sync between computers. Use the policy set This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent doesn't report information about package file size. - If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. + - If you disable or don't configure this policy setting, no event is written to the event log to report settings package size. @@ -1166,10 +1215,13 @@ This policy setting allows you to configure the UE-V Agent to write a warning ev This policy setting configures the synchronization of user settings for Microsoft Access 2010. + By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1229,9 +1281,11 @@ By default, the user settings of Microsoft Access 2010 synchronize between compu This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. + By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. - If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. + - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting shouldn't be disabled - If you don't configure this policy setting, any defined values will be deleted. @@ -1292,10 +1346,13 @@ By default, the user settings which are common between the Microsoft Office Suit This policy setting configures the synchronization of user settings for Microsoft Excel 2010. + By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1355,10 +1412,13 @@ By default, the user settings of Microsoft Excel 2010 synchronize between comput This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. + By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. - If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1418,10 +1478,13 @@ By default, the user settings of Microsoft InfoPath 2010 synchronize between com This policy setting configures the synchronization of user settings for Microsoft Lync 2010. + By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1482,10 +1545,13 @@ By default, the user settings of Microsoft Lync 2010 synchronize between compute This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. + By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. - If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1545,10 +1611,13 @@ By default, the user settings of Microsoft OneNote 2010 synchronize between comp This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. + By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1608,10 +1677,13 @@ By default, the user settings of Microsoft Outlook 2010 synchronize between comp This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. + By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. - If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1671,10 +1743,13 @@ By default, the user settings of Microsoft PowerPoint 2010 synchronize between c This policy setting configures the synchronization of user settings for Microsoft Project 2010. + By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1734,10 +1809,13 @@ By default, the user settings of Microsoft Project 2010 synchronize between comp This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. + By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1797,10 +1875,13 @@ By default, the user settings of Microsoft Publisher 2010 synchronize between co This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. + By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. - If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1860,10 +1941,13 @@ By default, the user settings of Microsoft SharePoint Designer 2010 synchronize This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. + By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. - If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1923,10 +2007,13 @@ By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize This policy setting configures the synchronization of user settings for Microsoft Visio 2010. + By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -1986,10 +2073,13 @@ By default, the user settings of Microsoft Visio 2010 synchronize between comput This policy setting configures the synchronization of user settings for Microsoft Word 2010. + By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. - If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2049,10 +2139,13 @@ By default, the user settings of Microsoft Word 2010 synchronize between compute This policy setting configures the synchronization of user settings for Microsoft Access 2013. + By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2112,10 +2205,13 @@ By default, the user settings of Microsoft Access 2013 synchronize between compu This policy setting configures the backup of certain user settings for Microsoft Access 2013. + Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Access 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2175,10 +2271,13 @@ Microsoft Access 2013 has user settings that are backed up instead of synchroniz This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. + By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. - If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. + - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting shouldn't be disabled. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2238,10 +2337,13 @@ By default, the user settings which are common between the Microsoft Office Suit This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. + Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. - If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. + - If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2301,10 +2403,13 @@ Microsoft Office Suite 2013 has user settings which are common between applicati This policy setting configures the synchronization of user settings for Microsoft Excel 2013. + By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2364,10 +2469,13 @@ By default, the user settings of Microsoft Excel 2013 synchronize between comput This policy setting configures the backup of certain user settings for Microsoft Excel 2013. + Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Excel 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2427,10 +2535,13 @@ Microsoft Excel 2013 has user settings that are backed up instead of synchronizi This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. + By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. - If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2490,10 +2601,13 @@ By default, the user settings of Microsoft InfoPath 2013 synchronize between com This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. + Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. - If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2553,10 +2667,13 @@ Microsoft InfoPath 2013 has user settings that are backed up instead of synchron This policy setting configures the synchronization of user settings for Microsoft Lync 2013. + By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2616,10 +2733,13 @@ By default, the user settings of Microsoft Lync 2013 synchronize between compute This policy setting configures the backup of certain user settings for Microsoft Lync 2013. + Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Lync 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2679,10 +2799,13 @@ Microsoft Lync 2013 has user settings that are backed up instead of synchronizin This policy setting configures the synchronization of user settings for OneDrive for Business 2013. + By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. - If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. + - If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2742,10 +2865,13 @@ By default, the user settings of OneDrive for Business 2013 synchronize between This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. + By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. - If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2805,10 +2931,13 @@ By default, the user settings of Microsoft OneNote 2013 synchronize between comp This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. + Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. - If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft OneNote 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2868,10 +2997,13 @@ Microsoft OneNote 2013 has user settings that are backed up instead of synchroni This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. + By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2931,10 +3063,13 @@ By default, the user settings of Microsoft Outlook 2013 synchronize between comp This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. + Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Outlook 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -2994,10 +3129,13 @@ Microsoft Outlook 2013 has user settings that are backed up instead of synchroni This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. + By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. - If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3057,10 +3195,13 @@ By default, the user settings of Microsoft PowerPoint 2013 synchronize between c This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. + Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. - If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3120,10 +3261,13 @@ Microsoft PowerPoint 2013 has user settings that are backed up instead of synchr This policy setting configures the synchronization of user settings for Microsoft Project 2013. + By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3183,10 +3327,13 @@ By default, the user settings of Microsoft Project 2013 synchronize between comp This policy setting configures the backup of certain user settings for Microsoft Project 2013. + Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Project 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3246,10 +3393,13 @@ Microsoft Project 2013 has user settings that are backed up instead of synchroni This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. + By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3309,10 +3459,13 @@ By default, the user settings of Microsoft Publisher 2013 synchronize between co This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. + Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Publisher 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3372,10 +3525,13 @@ Microsoft Publisher 2013 has user settings that are backed up instead of synchro This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. + By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. - If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3435,10 +3591,13 @@ By default, the user settings of Microsoft SharePoint Designer 2013 synchronize This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. + Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. - If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3498,10 +3657,13 @@ Microsoft SharePoint Designer 2013 has user settings that are backed up instead This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. + By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. - If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. + - If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3561,10 +3723,13 @@ By default, the user settings of Microsoft Office 2013 Upload Center synchronize This policy setting configures the synchronization of user settings for Microsoft Visio 2013. + By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3624,10 +3789,13 @@ By default, the user settings of Microsoft Visio 2013 synchronize between comput This policy setting configures the backup of certain user settings for Microsoft Visio 2013. + Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Visio 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3687,10 +3855,13 @@ Microsoft Visio 2013 has user settings that are backed up instead of synchronizi This policy setting configures the synchronization of user settings for Microsoft Word 2013. + By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3750,10 +3921,13 @@ By default, the user settings of Microsoft Word 2013 synchronize between compute This policy setting configures the backup of certain user settings for Microsoft Word 2013. + Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. - If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Word 2013 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3813,10 +3987,13 @@ Microsoft Word 2013 has user settings that are backed up instead of synchronizin This policy setting configures the synchronization of user settings for Microsoft Access 2016. + By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3876,10 +4053,13 @@ By default, the user settings of Microsoft Access 2016 synchronize between compu This policy setting configures the backup of certain user settings for Microsoft Access 2016. + Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Access 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -3939,10 +4119,13 @@ Microsoft Access 2016 has user settings that are backed up instead of synchroniz This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. + By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. - If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. + - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting shouldn't be disabled. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4002,10 +4185,13 @@ By default, the user settings which are common between the Microsoft Office Suit This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. + Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. - If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. + - If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4065,10 +4251,13 @@ Microsoft Office Suite 2016 has user settings which are common between applicati This policy setting configures the synchronization of user settings for Microsoft Excel 2016. + By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4128,10 +4317,13 @@ By default, the user settings of Microsoft Excel 2016 synchronize between comput This policy setting configures the backup of certain user settings for Microsoft Excel 2016. + Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Excel 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4191,10 +4383,13 @@ Microsoft Excel 2016 has user settings that are backed up instead of synchronizi This policy setting configures the synchronization of user settings for Microsoft Lync 2016. + By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4254,10 +4449,13 @@ By default, the user settings of Microsoft Lync 2016 synchronize between compute This policy setting configures the backup of certain user settings for Microsoft Lync 2016. + Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Lync 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4317,10 +4515,13 @@ Microsoft Lync 2016 has user settings that are backed up instead of synchronizin This policy setting configures the synchronization of user settings for OneDrive for Business 2016. + By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. - If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. + - If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4380,10 +4581,13 @@ By default, the user settings of OneDrive for Business 2016 synchronize between This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. + By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. - If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4443,10 +4647,13 @@ By default, the user settings of Microsoft OneNote 2016 synchronize between comp This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. + Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. - If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft OneNote 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4506,10 +4713,13 @@ Microsoft OneNote 2016 has user settings that are backed up instead of synchroni This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. + By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4569,10 +4779,13 @@ By default, the user settings of Microsoft Outlook 2016 synchronize between comp This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. + Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Outlook 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4632,10 +4845,13 @@ Microsoft Outlook 2016 has user settings that are backed up instead of synchroni This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. + By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. - If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4695,10 +4911,13 @@ By default, the user settings of Microsoft PowerPoint 2016 synchronize between c This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. + Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. - If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4758,10 +4977,13 @@ Microsoft PowerPoint 2016 has user settings that are backed up instead of synchr This policy setting configures the synchronization of user settings for Microsoft Project 2016. + By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4821,10 +5043,13 @@ By default, the user settings of Microsoft Project 2016 synchronize between comp This policy setting configures the backup of certain user settings for Microsoft Project 2016. + Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Project 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4884,10 +5109,13 @@ Microsoft Project 2016 has user settings that are backed up instead of synchroni This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. + By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -4947,10 +5175,13 @@ By default, the user settings of Microsoft Publisher 2016 synchronize between co This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. + Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Publisher 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5010,10 +5241,13 @@ Microsoft Publisher 2016 has user settings that are backed up instead of synchro This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. + By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. - If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. + - If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5073,10 +5307,13 @@ By default, the user settings of Microsoft Office 2016 Upload Center synchronize This policy setting configures the synchronization of user settings for Microsoft Visio 2016. + By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5136,10 +5373,13 @@ By default, the user settings of Microsoft Visio 2016 synchronize between comput This policy setting configures the backup of certain user settings for Microsoft Visio 2016. + Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Visio 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5199,10 +5439,13 @@ Microsoft Visio 2016 has user settings that are backed up instead of synchronizi This policy setting configures the synchronization of user settings for Microsoft Word 2016. + By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. + - If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5262,10 +5505,13 @@ By default, the user settings of Microsoft Word 2016 synchronize between compute This policy setting configures the backup of certain user settings for Microsoft Word 2016. + Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. - If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. + - If you disable this policy setting, certain user settings of Microsoft Word 2016 won't be backed up. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5325,10 +5571,13 @@ Microsoft Word 2016 has user settings that are backed up instead of synchronizin This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5388,10 +5637,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5451,10 +5703,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. - If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. + - If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5514,10 +5769,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. - If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. + - If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5577,10 +5835,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5640,10 +5901,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5703,10 +5967,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5766,10 +6033,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5829,10 +6099,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5892,10 +6165,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -5955,10 +6231,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6018,10 +6297,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6081,10 +6363,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6144,10 +6429,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6207,10 +6495,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6270,10 +6561,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6333,10 +6627,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6396,10 +6693,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6459,10 +6759,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6522,10 +6825,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6585,10 +6891,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6648,10 +6957,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6711,10 +7023,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6774,10 +7089,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. + Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. - If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. + - If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6837,10 +7155,13 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t This policy setting configures the synchronization of user settings for the Music app. + By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. - If you enable this policy setting, Music user settings continue to sync. + - If you disable this policy setting, Music user settings are excluded from the synchronizing settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6901,10 +7222,13 @@ By default, the user settings of Music sync between computers. Use the policy se This policy setting configures the synchronization of user settings for the News app. + By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. - If you enable this policy setting, News user settings continue to sync. + - If you disable this policy setting, News user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -6965,10 +7289,13 @@ By default, the user settings of News sync between computers. Use the policy set This policy setting configures the synchronization of user settings of Notepad. + By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. - If you enable this policy setting, the Notepad user settings continue to synchronize. + - If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. @@ -7029,10 +7356,13 @@ By default, the user settings of Notepad synchronize between computers. Use the This policy setting configures the synchronization of user settings for the Reader app. + By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. - If you enable this policy setting, Reader user settings continue to sync. + - If you disable this policy setting, Reader user settings are excluded from the synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -7093,9 +7423,11 @@ By default, the user settings of Reader sync between computers. Use the policy s This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. + You can use this setting to override the default value of 2000 milliseconds. - If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. + - If you disable or don't configure this policy setting, the default value of 2000 milliseconds is used. @@ -7157,6 +7489,7 @@ You can use this setting to override the default value of 2000 milliseconds. This policy setting configures where the settings package files that contain user settings are stored. - If you enable this policy setting, the user settings are stored in the specified location. + - If you disable or don't configure this policy setting, the user settings are stored in the user's home directory if configured for your environment. @@ -7214,10 +7547,15 @@ This policy setting configures where the settings package files that contain use This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. - If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. + If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored. + If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used. + - If you disable this policy setting, the UE-V Agent won't use the custom settings location templates. + - If you disable this policy setting after it has been enabled, the UE-V Agent won't restore the default Microsoft templates. + - If you don't configure this policy setting, any defined values will be deleted. @@ -7277,10 +7615,13 @@ If you specify a UNC path and check the option to replace the default Microsoft This policy setting configures the synchronization of user settings for the Sports app. + By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. - If you enable this policy setting, Sports user settings continue to sync. + - If you disable this policy setting, Sports user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -7400,9 +7741,13 @@ This policy setting allows you to enable or disable User Experience Virtualizati This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. + By default, the UE-V Agent doesn't synchronize settings over a metered connection. + With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. + With this setting disabled, the UE-V Agent doesn't synchronize settings over a metered connection. + If you don't configure this policy setting, any defined values are deleted. @@ -7463,9 +7808,13 @@ If you don't configure this policy setting, any defined values are deleted. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. + By default, the UE-V Agent doesn't synchronize settings over a metered connection that's roaming. + With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that's roaming. + With this setting disabled, the UE-V Agent won't synchronize settings over a metered connection that's roaming. + If you don't configure this policy setting, any defined values are deleted. @@ -7528,7 +7877,9 @@ If you don't configure this policy setting, any defined values are deleted. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn't attempt the synchronization. - If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. + - If you disable this policy setting, the sync provider doesn't ping the settings storage location before synchronizing settings packages. + - If you don't configure this policy, any defined values will be deleted. @@ -7585,9 +7936,13 @@ This policy setting allows you to configure the User Experience Virtualization ( This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that aren't explicitly listed in Windows App List. + By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. + With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. + With this setting disabled, only the settings of the Windows apps set to synchronize in the Windows App List are synchronized. + If you don't configure this policy setting, any defined values are deleted. @@ -7648,10 +8003,13 @@ If you don't configure this policy setting, any defined values are deleted. This policy setting configures the synchronization of user settings for the Travel app. + By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. - If you enable this policy setting, Travel user settings continue to sync. + - If you disable this policy setting, Travel user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -7708,7 +8066,9 @@ By default, the user settings of Travel sync between computers. Use the policy s This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. + With this setting disabled, the tray icon doesn't appear in the system tray, UE-V never displays notifications, and the user can't access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. + If you don't configure this policy setting, any defined values are deleted. @@ -7769,10 +8129,13 @@ If you don't configure this policy setting, any defined values are deleted. This policy setting configures the synchronization of user settings for the Video app. + By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. - If you enable this policy setting, Video user settings continue to sync. + - If you disable this policy setting, Video user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -7833,10 +8196,13 @@ By default, the user settings of Video sync between computers. Use the policy se This policy setting configures the synchronization of user settings for the Weather app. + By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. - If you enable this policy setting, Weather user settings continue to sync. + - If you disable this policy setting, Weather user settings are excluded from synchronization. + - If you don't configure this policy setting, any defined values will be deleted. @@ -7897,10 +8263,13 @@ By default, the user settings of Weather sync between computers. Use the policy This policy setting configures the synchronization of user settings of WordPad. + By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. - If you enable this policy setting, the WordPad user settings continue to synchronize. + - If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. + - If you don't configure this policy setting, any defined values will be deleted. diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index d0294c3471..f3cd36cf4c 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_UserProfiles Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -233,9 +233,13 @@ This policy setting sets the maximum size of each user profile and determines th - If you enable this policy setting, you can: - Set a maximum permitted user profile size. + - Determine whether the registry files are included in the calculation of the profile size. + - Determine whether users are notified when the profile exceeds the permitted maximum size. + - Specify a customized message notifying users of the oversized profile. + - Determine how often the customized message is displayed. > [!NOTE] @@ -365,7 +369,10 @@ This policy setting and related policy settings in this folder together define t - If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. -- If you disable or don't configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections. Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. +- If you disable or don't configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections. + +> [!IMPORTANT] +> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 8ba901e770..7688d55e7b 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_W32Time Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,80 +45,104 @@ This policy setting allows you to specify Clock discipline and General values fo For more details on individual parameters, combinations of parameter values as well as definitions of flags, see< https://go.microsoft.com/fwlink/?linkid=847809>. -FrequencyCorrectRate +FrequencyCorrectRate. + This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause larger corrections; larger values cause smaller corrections. Default: 4 (scalar). -HoldPeriod +HoldPeriod. + This parameter indicates how many consistent time samples the client computer must receive in a series before subsequent time samples are evaluated as potential spikes. Default: 5 -LargePhaseOffset +LargePhaseOffset. + If a time sample differs from the client computer's local clock by more than LargePhaseOffset, the local clock is deemed to have drifted considerably, or in other words, spiked. Default: 50,000,000 100-nanosecond units (ns) or 5 seconds. -MaxAllowedPhaseOffset +MaxAllowedPhaseOffset. + If a response is received that has a time variation that's larger than this parameter value, W32time sets the client computer's local clock immediately to the time that's accepted as accurate from the Network Time Protocol (NTP) server. If the time variation is less than this value, the client computer's local clock is corrected gradually. Default: 300 seconds. -MaxNegPhaseCorrection +MaxNegPhaseCorrection. + If a time sample is received that indicates a time in the past (as compared to the client computer's local clock) that has a time difference that's greater than the MaxNegPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. -MaxPosPhaseCorrection +MaxPosPhaseCorrection. + If a time sample is received that indicates a time in the future (as compared to the client computer's local clock) that has a time difference greater than the MaxPosPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. -PhaseCorrectRate +PhaseCorrectRate. + This parameter controls how quickly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the NTP server. Lower values cause the clock to correct more quickly; larger values cause the clock to correct more slowly. Default: 7 (scalar). -PollAdjustFactor +PollAdjustFactor. + This parameter controls how quickly W32time changes polling intervals. When responses are considered to be accurate, the polling interval lengthens automatically. When responses are considered to be inaccurate, the polling interval shortens automatically. Default: 5 (scalar). -SpikeWatchPeriod +SpikeWatchPeriod. + This parameter specifies the amount of time that samples with time offset larger than LargePhaseOffset are received before these samples are accepted as accurate. SpikeWatchPeriod is used in conjunction with HoldPeriod to help eliminate sporadic, inaccurate time samples that are returned from a peer. Default: 900 seconds. -UpdateInterval +UpdateInterval. + This parameter specifies the amount of time that W32time waits between corrections when the clock is being corrected gradually. When it makes a gradual correction, the service adjusts the clock slightly, waits this amount of time, and then checks to see if another adjustment is needed, until the correction is finished. Default: 100 1/100th second units, or 1 second. General parameters: -AnnounceFlags -This parameter is a bitmask value that controls how time service availability is advertised through NetLogon. Default: 0x0a hexadecimal +AnnounceFlags. + +This parameter is a bitmask value that controls how time service availability is advertised through NetLogon. Default: 0x0a hexadecimal. + +EventLogFlags. -EventLogFlags This parameter controls special events that may be logged to the Event Viewer System log. Default: 0x02 hexadecimal bitmask. -LocalClockDispersion -This parameter indicates the maximum error in seconds that's reported by the NTP server to clients that are requesting a time sample. (Applies only when the NTP server is using the time of the local CMOS clock.) Default: 10 seconds. +LocalClockDispersion. -MaxPollInterval -This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Should not be set higher than 15.) +This parameter indicates the maximum error in seconds that's reported by the NTP server to clients that are requesting a time sample. (Applies only when the NTP server is using the time of the local CMOS clock). Default: 10 seconds. + +MaxPollInterval. + +This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Should not be set higher than 15). + +MinPollInterval. -MinPollInterval This parameter controls the minimum polling interval that defines the minimum amount of time between polls of a peer. Default: 6 in log base-2, or 64 seconds. -ClockHoldoverPeriod +ClockHoldoverPeriod. + This parameter indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7800 seconds. -RequireSecureTimeSyncRequests +RequireSecureTimeSyncRequests. + This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC won't respond to requests using such protocols. Default: 0 Boolean. -UtilizeSslTimeData -This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock. Default: 1 (enabled) Boolean +UtilizeSslTimeData. + +This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock. Default: 1 (enabled) Boolean. + +ClockAdjustmentAuditLimit. -ClockAdjustmentAuditLimit This parameter specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target machine. Default: 800 Parts per million (PPM). RODC parameters: -ChainEntryTimeout +ChainEntryTimeout. + This parameter specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. Default: 16 seconds. -ChainMaxEntries +ChainMaxEntries. + This parameter controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. Default: 128 entries. -ChainMaxHostEntries +ChainMaxHostEntries. + This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: 4 entries. -ChainDisable +ChainDisable. + This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that don't have their passwords cached on the RODC won't be able to synchronize with the RODC. Default: 0 Boolean. -ChainLoggingRate +ChainLoggingRate. + This parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes. @@ -179,25 +203,32 @@ This policy setting specifies a set of parameters for controlling the Windows NT - If you disable or don't configure this policy setting, the Windows NTP Client uses the defaults of each of the following parameters. -NtpServer +NtpServer. + The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where "flags" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is "time.windows.com,0x09". -Type +Type. + This value controls the authentication that W32time uses. The default value is NT5DS. -CrossSiteSyncFlags +CrossSiteSyncFlags. + This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client shouldn't attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value isn't set. The default value is 2 decimal (0x02 hexadecimal). -ResolvePeerBackoffMinutes +ResolvePeerBackoffMinutes. + This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. -ResolvePeerBackoffMaxTimes +ResolvePeerBackoffMaxTimes. + This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. -SpecialPollInterval +SpecialPollInterval. + This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that's set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. -EventLogFlags +EventLogFlags. + This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it's a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 16acc01304..864c2f00fc 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WCM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -106,9 +106,11 @@ This policy setting determines whether Windows will soft-disconnect a computer f When soft disconnect is enabled: - - When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. - - Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection. - - When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they're not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network. +- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. + +- Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection. + +- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they're not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network. This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows won't disconnect from any networks. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index a9b955dddf..894b258e47 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -43,7 +43,7 @@ This policy setting prohibits access to Windows Connect Now (WCN) wizards. - If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -- If you disable or don't configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. +- If you disable or don't configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device". The default for this policy setting allows users to access all WCN wizards. @@ -102,7 +102,7 @@ This policy setting prohibits access to Windows Connect Now (WCN) wizards. - If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -- If you disable or don't configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. +- If you disable or don't configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device". The default for this policy setting allows users to access all WCN wizards. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index effde9040f..4a8727e522 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -104,6 +104,7 @@ This policy setting allows you to prevent data loss when you change the target l This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. - If you enable this setting, users can't configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users can't restore the new features. + Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. - If you disable or not configure this policy, the default File Explorer behavior is applied to the user. @@ -351,15 +352,19 @@ This disables access to user-defined properties, and properties stored in NTFS s This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. - If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. + Setting this policy will: + * Disable all Arrangement views except for "By Folder" * Disable all Search filter suggestions other than "Date Modified" and "Size" * Disable view of file content snippets in Content mode when search results are returned * Disable ability to stack in the Context menu and Column headers -* Exclude Libraries from the scope of Start search +* Exclude Libraries from the scope of Start search. + This policy won't enable users to add unsupported locations to Libraries. - If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. + - If you disable or don't configure this policy, all default Windows Libraries features will be enabled. @@ -604,7 +609,7 @@ Some information is sent to Microsoft about files and programs run on PCs with t - If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: - Warn and prevent bypass -- Warn +- Warn. - If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. @@ -737,6 +742,7 @@ For shell extensions to run on a per-user basis, there must be an entry at HKEY_ This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. - If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. + - If you disable or don't configure this policy setting, users can choose how the ribbon appears when they open new windows. @@ -2238,7 +2244,7 @@ The Recent Items menu contains shortcuts to the nonprogram files the user has mo - If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. -- If you disable or don't configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents." +- If you disable or don't configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents". @@ -3660,6 +3666,7 @@ This policy setting doesn't affect the Search items on the File Explorer context This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. - If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). + - If you disable or don't configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). @@ -3969,9 +3976,9 @@ The valid items you may display in the Places Bar are: 2) Shortcuts to remote folders -- (\\server\share) -3) FTP folders +3) FTP folders. -4) web folders +4) web folders. 5) Common Shell folders. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 6ec3963e29..87267407d6 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,7 +44,9 @@ This policy setting allows you to specify the HTTP proxy settings for Windows Me - If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. + - Custom: unique proxy settings are used. + - Use browser proxy settings: browser's proxy settings are used. If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified because no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected. @@ -115,6 +117,7 @@ This policy setting allows you to specify the MMS proxy settings for Windows Med - If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. + - Custom: unique proxy settings are used. If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. @@ -185,6 +188,7 @@ This policy setting allows you to specify the RTSP proxy settings for Windows Me - If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. + - Custom: unique proxy settings are used. If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. @@ -739,6 +743,7 @@ This policy setting allows you to specify whether network buffering uses the def - If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it's played. - Custom: the number of seconds, up to 60, that streaming media is buffered. + - Default: default network buffering is used and the number of seconds that's specified is ignored. The "Use default buffering" and "Buffer" options on the Performance tab in the Player aren't available. diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index 6d8729d3a0..c53065c78d 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WinLogon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -360,8 +360,11 @@ This policy setting controls whether or not software can simulate the Secure Att - If you enable this policy setting, you have one of four options: If you set this policy setting to "None," user mode software can't simulate the SAS. + If you set this policy setting to "Services," services can simulate the SAS. + If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. + If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. - If you disable or don't configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 4b7838b695..c0b857187f 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -156,6 +156,7 @@ This policy specifies whether Work Folders should use Token Broker for interacti This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. - If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC. + - If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. @@ -168,7 +169,9 @@ The "Work Folders Local Path" specifies the local folder used on the client mach The "On-demand file access preference" option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don't take up any space on the PC, but the user must be connected to the Internet to access them. - If you enable this policy setting, on-demand file access is enabled. + - If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user's files is required on each of their PCs. + If you specify User choice or don't configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled. The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option isn't specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders. diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 90a0ae5825..3b93d81859 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -40,7 +40,8 @@ ms.topic: reference This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool. For example: -Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt + +Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt. For more information, refer to the DISM documentation on TechNet. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index a360d0d4bc..9286bcdf16 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -310,6 +310,7 @@ Allows or denies development of Microsoft Store applications and installing them Windows Game Recording and Broadcasting. This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording won't be allowed. + If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed. diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 07697f66e8..2cad1d5a95 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -99,7 +99,9 @@ Volume: High on domain controllers. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. + - If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. + - If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. @@ -162,7 +164,9 @@ Volume: High on Kerberos Key Distribution Center servers. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. + - If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. + - If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. @@ -407,7 +411,9 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. + - If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. @@ -470,7 +476,9 @@ Volume: High. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. + - If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. @@ -532,9 +540,7 @@ Volume: High. -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. -- If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you don't configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you don't configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. @@ -596,7 +602,9 @@ Volume: High. This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged-on to. + - If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. + - If you don't configure this policy setting, no audit event is generated when a logon session is closed. @@ -720,7 +728,9 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. + - If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. + - If you don't configure this policy settings, IAS and NAP user access requests aren't audited. @@ -966,7 +976,9 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. + - If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when an application group changes. @@ -1029,7 +1041,9 @@ Volume: Low. This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. + - If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a computer account changes. @@ -1092,7 +1106,9 @@ Volume: Low. This policy setting allows you to audit events generated by changes to distribution groups such as the following: Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. + - If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a distribution group changes. > [!NOTE] @@ -1219,7 +1235,9 @@ Volume: Low. This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. + - If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a security group changes. @@ -1282,7 +1300,9 @@ Volume: Low. This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account's password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored. + - If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a user account changes. @@ -1345,7 +1365,9 @@ Volume: Low. This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). + - If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. + - If you don't configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -1408,7 +1430,9 @@ Volume: Low. This policy setting allows you to audit when plug and play detects an external device. + - If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. + - If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play. @@ -1471,7 +1495,9 @@ Volume: Low. This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. + - If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a process is created. @@ -1534,7 +1560,9 @@ Volume: Depends on how the computer is used. This policy setting allows you to audit events generated when a process ends. + - If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a process ends. @@ -1597,7 +1625,9 @@ Volume: Depends on how the computer is used. This policy setting allows you to audit inbound remote procedure call (RPC) connections. + - If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a remote RPC connection is attempted. @@ -1846,7 +1876,9 @@ This policy setting allows you to audit events generated by changes to objects i > [!NOTE] > Actions on some objects and properties don't cause audit events to be generated due to settings on the object class in the schema. + - If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. + - If you don't configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. @@ -1909,7 +1941,9 @@ Volume: High on domain controllers only. This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. + - If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. + - If you don't configure this policy setting, no audit event is generated during AD DS replication. @@ -2155,6 +2189,7 @@ Volume: Medium or Low on computers running Active Directory Certificate Services This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. + - If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] @@ -2222,7 +2257,9 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit attempts to access a shared folder. + - If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. + - If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] @@ -2290,7 +2327,9 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see< https://go.microsoft.com/fwlink/?LinkId=122083>. + - If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. > [!NOTE] @@ -2356,7 +2395,9 @@ Volume: Depends on how the file system SACLs are configured. This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections. + - If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. + - If you don't configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. @@ -2480,7 +2521,9 @@ Volume: High. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. + - If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a handle is manipulated. > [!NOTE] @@ -2671,7 +2714,9 @@ Volume: Low. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. + - If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. > [!NOTE] @@ -2737,7 +2782,9 @@ Volume: Depends on how registry SACLs are configured. This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. + - If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. @@ -2799,7 +2846,9 @@ This policy setting allows you to audit user attempts to access file system obje This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following: SAM_ALIAS -- A local group. SAM_GROUP -- A group that isn't a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. + - If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. > [!NOTE] @@ -2865,7 +2914,9 @@ Volume: High on domain controllers. For more information about reducing the numb This policy setting allows you to audit events generated by changes to the authentication policy such as the following: Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group: Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. + - If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when the authentication policy is changed. > [!NOTE] @@ -2931,7 +2982,9 @@ Volume: Low. This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the "Authentication Policy Change" subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the "Authentication Policy Change" subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object. + - If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when the authorization policy changes. @@ -2994,7 +3047,9 @@ Volume: Low. This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine. + - If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when a change occurs to the WFP. @@ -3057,7 +3112,9 @@ Volume: Low. This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings. + - If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. @@ -3246,7 +3303,9 @@ Volume: Low. This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects. Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data. + - If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. + - If you don't configure this policy setting, no audit event is generated when a non-sensitive privilege is called. @@ -3369,7 +3428,9 @@ Not used. This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects. + - If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. + - If you don't configure this policy setting, no audit event is generated when sensitive privilege requests are made. @@ -3432,7 +3493,9 @@ Volume: High. This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card isn't working correctly or the driver needs to be updated. Inability to process IPsec filters. + - If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated on an IPSec filter driver operation. @@ -3617,7 +3680,9 @@ Volume: Low. This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It's used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. + - If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. + - If you don't configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 14d67c424b..b5b2859f9f 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -4,7 +4,7 @@ description: Learn more about the Autoplay Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -116,8 +116,7 @@ This creates a major security concern as code may be executed without user's kno - If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: -a) Completely disable autorun commands, or -b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. +a) Completely disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. - If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 49e554a641..f9002b94a5 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -4,7 +4,7 @@ description: Learn more about the BITS Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,7 @@ ms.topic: reference -This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers.) +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers). You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours. @@ -103,7 +103,7 @@ Consider using this setting to prevent BITS transfers from competing for network -This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers.) +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers). You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours. @@ -169,7 +169,7 @@ Consider using this setting to prevent BITS transfers from competing for network -This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers.) +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers). You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours. @@ -241,20 +241,27 @@ If you enable this policy setting, you can define a default download policy for For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: - - Always transfer - - Transfer unless roaming - - Transfer unless surcharge applies (when not roaming or overcap) - - Transfer unless nearing limit (when not roaming or nearing cap) - - Transfer only if unconstrained - - Custom--allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here) +- Always transfer +- Transfer unless roaming +- Transfer unless surcharge applies (when not roaming or overcap) +- Transfer unless nearing limit (when not roaming or nearing cap) +- Transfer only if unconstrained +- Custom--allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here) 0x1 - The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints. + 0x2 - The usage of this connection is unrestricted up to a certain data limit 0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 percent of the limit. + 0x8 - Usage of this connection is unrestricted up to a certain data limit and plan usage is between 80 percent and 100 percent of the limit. + 0x10 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. Surcharge applied or unknown. + 0x20 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. No surcharge applies, but speeds are likely reduced. + 0x40 - The connection is costed on a per-byte basis. + 0x80 - The connection is roaming. + 0x80000000 - Ignore congestion. @@ -327,20 +334,27 @@ If you enable this policy setting, you can define a default download policy for For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: - - Always transfer - - Transfer unless roaming - - Transfer unless surcharge applies (when not roaming or overcap) - - Transfer unless nearing limit (when not roaming or nearing cap) - - Transfer only if unconstrained - - Custom--allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here) +- Always transfer +- Transfer unless roaming +- Transfer unless surcharge applies (when not roaming or overcap) +- Transfer unless nearing limit (when not roaming or nearing cap) +- Transfer only if unconstrained +- Custom--allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here) 0x1 - The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints. + 0x2 - The usage of this connection is unrestricted up to a certain data limit 0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 percent of the limit. + 0x8 - Usage of this connection is unrestricted up to a certain data limit and plan usage is between 80 percent and 100 percent of the limit. + 0x10 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. Surcharge applied or unknown. + 0x20 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. No surcharge applies, but speeds are likely reduced. + 0x40 - The connection is costed on a per-byte basis. + 0x80 - The connection is roaming. + 0x80000000 - Ignore congestion. @@ -413,6 +427,7 @@ This policy setting specifies the number of days a pending BITS job can remain i > Any property changes to the job or any successful download action will reset this timeout. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. + Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. - If you enable this policy setting, you can configure the inactive job timeout to specified number of days. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index ff06ee4287..8baca30d66 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -309,8 +309,11 @@ This policy setting lets you decide whether Microsoft Edge can automatically upd This setting lets you configure how to work with cookies. - If you enable this setting, you must also decide whether to: + Allow all cookies (default): Allows all cookies from all websites. + Block all cookies: Blocks all cookies from all websites. + Block only 3rd-party cookies: Blocks only cookies from 3rd-party websites. - If you disable or don't configure this setting, all cookies are allowed from all sites. @@ -1332,9 +1335,11 @@ If disabled, the browsing history stops saving and isn't visible in the History This policy setting lets you decide whether users can change their search engine. + - If you disable this setting, users can't add new search engines or change the default used in the address bar. -Important +Important. + This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). - If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. @@ -1485,14 +1490,15 @@ If enabled or not configured, sideloading of unverified extensions in Microsoft If disabled, sideloading of unverified extensions in Microsoft Edge isn't allowed. Extensions can be installed only through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). When disabled, this policy doesn't prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, in Group Policy Editor, enable Allows development of Windows Store apps and installing them from an integrated development environment (IDE), which is located at: -Computer Configuration > Administrative Templates > Windows Components > App Package Deployment +Computer Configuration > Administrative Templates > Windows Components > App Package Deployment. Supported versions: Microsoft Edge on Windows 10, version 1809 -Default setting: Disabled or not configured +Default setting: Disabled or not configured. + Related policies: - - Allows development of Windows Store apps and installing them from an integrated development environment (IDE) - - Allow all trusted apps to install +- Allows development of Windows Store apps and installing them from an integrated development environment (IDE) +- Allow all trusted apps to install @@ -1931,7 +1937,8 @@ To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is s This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting. -Important +Important. + This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). - If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the Understanding OpenSearch Standards (https://msdn.microsoft.com/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add: `` `` @@ -2076,16 +2083,20 @@ When enabled, the home button is locked down preventing your users from making c If Enabled AND: - - Show home button & set to Start page is selected, clicking the home button loads the Start page. - - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - - Hide home button is selected, the home button is hidden in Microsoft Edge. +- Show home button & set to Start page is selected, clicking the home button loads the Start page. + +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. + +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. + +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured. -Default setting: Disabled or not configured Related policies: - - Set Home Button URL - - Unlock Home Button. +- Set Home Button URL +- Unlock Home Button. @@ -2162,12 +2173,15 @@ You need to configure Microsoft Edge in assigned access for this policy to take If enabled and set to 0 (Default or not configured): - - If it's a single app, it runs InPrivate full screen for digital signage or interactive displays. - - If it's one of many apps, Microsoft Edge runs as normal. +- If it's a single app, it runs InPrivate full screen for digital signage or interactive displays. + +- If it's one of many apps, Microsoft Edge runs as normal. + If enabled and set to 1: - - If it's a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can't minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking "End session." You can configure Microsoft Edge to restart after a period of inactivity by using the "Configure kiosk reset after idle timeout" policy. - - If it's one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can't customize Microsoft Edge. +- If it's a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can't minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking "End session". You can configure Microsoft Edge to restart after a period of inactivity by using the "Configure kiosk reset after idle timeout" policy. + +- If it's one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can't customize Microsoft Edge. @@ -2304,10 +2318,13 @@ You can configure Microsoft Edge to lock down the Start page, preventing users f If enabled, you can choose one of the following options: - - Start page: the Start page loads ignoring the Configure Start Pages policy. - - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. +- Start page: the Start page loads ignoring the Configure Start Pages policy. + +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. + +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. + +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Microsoft Edge With policy, and then enable the Disable Lockdown of Start Pages policy. @@ -2467,11 +2484,12 @@ You can configure Microsoft Edge to disable the lockdown of Start pages allowing If disabled or not configured, the Start pages configured in the Configure Start Pages policy can't be changed and remain locked down. -Supported devices: Domain-joined or MDM-enrolled +Supported devices: Domain-joined or MDM-enrolled. + Related policy: - - Configure Start Pages - - Configure Open Microsoft Edge With. +- Configure Start Pages +- Configure Open Microsoft Edge With. @@ -2770,16 +2788,19 @@ If enabled, you must include URLs to the pages, separating multiple pages using If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: + If you don't want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it's the only configured URL. Version 1809: + If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. -Supported devices: Domain-joined or MDM-enrolled +Supported devices: Domain-joined or MDM-enrolled. + Related policy: - - Configure Open Microsoft Edge With - - Disable Lockdown of Start Pages. +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages. @@ -2840,7 +2861,8 @@ This policy setting lets you decide whether employees can add, import, sort, or - If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. -Important +Important. + Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -3481,7 +3503,8 @@ This policy setting allows you to configure a default set of favorites, which wi - If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. -Important +Important. + Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -3507,7 +3530,7 @@ Don't enable both this setting and the Keep favorites in sync between Internet E |:--|:--| | Name | ConfiguredFavorites | | Friendly Name | Provision Favorites | -| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.

URL can be specified as

1. HTTP location: https://localhost:8080/URLs.html
2. Local network: \\network\shares\URLs.html

3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html. | +| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.

URL can be specified as.

1. HTTP location: https://localhost:8080/URLs.html
2. Local network: \\network\shares\URLs.html.

3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html. | | Location | Computer and User Configuration | | Path | Windows Components > Microsoft Edge | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites | @@ -3621,14 +3644,16 @@ This policy setting lets you decide whether your intranet sites should all open This policy setting lets you configure the default search engine for your employees. Your employees can change the default search engine at any time. -Important +Important. + This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). - If you enable this setting, you can choose a default search engine for your employees. - If this setting is enabled, you must also add the default engine to the "Set default search engine" setting, by adding a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the Understanding OpenSearch Standards (https://msdn.microsoft.com/library/dd163546.aspx) topic. Use this format to specify the link you wish to add: `` -Note +Note. + If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. Employees can change the default search engine at any time, unless you disable the "Allow search engine customization" setting, which restricts any changes. @@ -3696,7 +3721,8 @@ The home button can be configured to load a custom URL when your user clicks the If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. -Default setting: Blank or not configured +Default setting: Blank or not configured. + Related policy: Configure Home Button. @@ -3760,7 +3786,8 @@ If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. -Default setting: Disabled or not configured +Default setting: Disabled or not configured. + Related policy: Allow web content on New Tab page. @@ -3824,7 +3851,8 @@ If enabled, the notification appears on a new page. If you want users to continu If disabled or not configured, the default app behavior occurs and no additional page displays. -Default setting: Disabled or not configured +Default setting: Disabled or not configured. + Related policies: -Configure the Enterprise Mode Site List @@ -3981,7 +4009,8 @@ If enabled, the UI settings for the home button are enabled allowing your users If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. -Default setting: Disabled or not configured +Default setting: Disabled or not configured. + Related policy: -Configure Home Button diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 33692bd982..02503b881b 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -4,7 +4,7 @@ description: Learn more about the Cellular Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -324,6 +324,7 @@ If an app is open when this Group Policy object is applied on a device, employee This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. - If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. + - If this policy setting is disabled or isn't configured, the link to the per-application cellular access control page is showed by default. diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index 2f2df60c50..878f0f2aef 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -4,7 +4,7 @@ description: Learn more about the CredentialsDelegation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,7 +39,7 @@ ms.topic: reference -Remote host allows delegation of non-exportable credentials +Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 58c4d7d6cf..43cdc9a4ee 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -180,15 +180,15 @@ This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the onl You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft won't use this information to identify you or contact you. Possible options are: + (0x0) Disabled (default) -(0x1) Basic membership -(0x2) Advanced membership +(0x1) Basic membership (0x2) Advanced membership. Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. -- If you enable this setting, you will join Microsoft MAPS with the membership specified. +- If you enable this setting, you'll join Microsoft MAPS with the membership specified. - If you disable or don't configure this setting, you won't join Microsoft MAPS. @@ -830,6 +830,7 @@ Allows or disallows Windows Defender Script Scanning functionality. This policy setting allows you to configure whether or not to display AM UI to the users. + If you enable this setting AM UI won't be available to users. @@ -896,16 +897,20 @@ If you enable this setting AM UI won't be available to users. Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: + Specify the folders or files and resources that should be excluded from ASR rules in the Options section. + Enter each rule on a new line as a name-value pair: - - Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder - - Value column: Enter "0" for each item +- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder +- Value column: Enter "0" for each item. Disabled: + No exclusions will be applied to the ASR rules. Not configured: + Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. @@ -966,30 +971,33 @@ Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: - - Block: the rule will be applied - - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule won't actually be applied) - - Off: the rule won't be applied - - Not Configured: the rule is enabled with default values - - Warn: the rule will be applied and the end-user will have the option to bypass the block +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule won't actually be applied) +- Off: the rule won't be applied +- Not Configured: the rule is enabled with default values +- Warn: the rule will be applied and the end-user will have the option to bypass the block. Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules with the value of not configured. Enabled: + Specify the state for each ASR rule under the Options section for this setting. + Enter each rule on a new line as a name-value pair: - - Name column: Enter a valid ASR rule ID - - Value column: Enter the status ID that relates to state you want to specify for the associated rule +- Name column: Enter a valid ASR rule ID +- Value column: Enter the status ID that relates to state you want to specify for the associated rule. The following status IDs are permitted under the value column: - - 1 (Block) - - 0 (Off) - - 2 (Audit) - - 5 (Not Configured) - - 6 (Warn) +- 1 (Block) +- 0 (Off) +- 2 (Audit) +- 5 (Not Configured) +- 6 (Warn) Example: + xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx @@ -998,9 +1006,11 @@ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: + No ASR rules will be configured. Not configured: + Same as Disabled. You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. @@ -1193,9 +1203,8 @@ For more information about specific values that are supported, see the Microsoft > This feature requires the "Join Microsoft MAPS" setting enabled in order to function. Possible options are: -(0x0) Default Microsoft Defender Antivirus blocking level -(0x1) Moderate Microsoft Defender Antivirus blocking level, delivers verdict only for high confidence detections -(0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives) + +(0x0) Default Microsoft Defender Antivirus blocking level (0x1) Moderate Microsoft Defender Antivirus blocking level, delivers verdict only for high confidence detections (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives) (0x4) High+ blocking level - aggressively block unknowns and apply additional protection measures (may impact client performance) (0x6) Zero tolerance blocking level - block all unknown executables. @@ -1331,12 +1340,15 @@ These applications are allowed to modify or delete files in controlled folder ac Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled: + Specify additional allowed applications in the Options section.. Disabled: + No additional applications will be added to the trusted list. Not configured: + Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. @@ -1400,15 +1412,19 @@ Specify additional folders that should be guarded by the Controlled folder acces Files in these folders can't be modified or deleted by untrusted applications. Default system folders are automatically protected. You can configure this setting to add additional folders. + The list of default system folders that are protected is shown in Windows Security. Enabled: + Specify additional folders that should be protected in the Options section. Disabled: + No additional folders will be protected. Not configured: + Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. @@ -1660,55 +1676,69 @@ This policy setting allows you to configure catch-up scans for scheduled quick s Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: - - Modify or delete files in protected folders, such as the Documents folder - - Write to disk sectors +- Modify or delete files in protected folders, such as the Documents folder +- Write to disk sectors. You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders. Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting. Block: + The following will be blocked: - - Attempts by untrusted apps to modify or delete files in protected folders - - Attempts by untrusted apps to write to disk sectors +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors. + The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. Disabled: + The following won't be blocked and will be allowed to run: - - Attempts by untrusted apps to modify or delete files in protected folders - - Attempts by untrusted apps to write to disk sectors +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors. + These attempts won't be recorded in the Windows event log. Audit Mode: + The following won't be blocked and will be allowed to run: - - Attempts by untrusted apps to modify or delete files in protected folders - - Attempts by untrusted apps to write to disk sectors +- Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors. + The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. Block disk modification only: + The following will be blocked: - - Attempts by untrusted apps to write to disk sectors +- Attempts by untrusted apps to write to disk sectors. + The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. The following won't be blocked and will be allowed to run: - - Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to modify or delete files in protected folders. + These attempts won't be recorded in the Windows event log. Audit disk modification only: + The following won't be blocked and will be allowed to run: - - Attempts by untrusted apps to write to disk sectors - - Attempts by untrusted apps to modify or delete files in protected folders +- Attempts by untrusted apps to write to disk sectors +- Attempts by untrusted apps to modify or delete files in protected folders. + Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). + Attempts to modify or delete files in protected folders won't be recorded. Not configured: + Same as Disabled. @@ -1842,15 +1872,18 @@ This policy setting allows you to enable or disable low CPU priority for schedul Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: + Specify the mode in the Options section: -Block: Users and applications won't be able to access dangerous domains -Audit Mode: Users and applications can connect to dangerous domains, however if this feature would've blocked access if it were set to Block, then a record of the event will be in the event logs. Disabled: + Users and applications won't be blocked from connecting to dangerous domains. Not configured: + Same as Disabled. @@ -2088,15 +2121,19 @@ Allows an administrator to specify a list of files opened by processes to ignore Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: + Specify the mode in the Options section: -Block: Potentially unwanted software will be blocked. + -Audit Mode: Potentially unwanted software won't be blocked, however if this feature would've blocked access if it were set to Block, then a record of the event will be in the event logs. Disabled: + Potentially unwanted software won't be blocked. Not configured: + Same as Disabled. @@ -2165,9 +2202,10 @@ This policy setting allows you to configure monitoring for incoming and outgoing Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. The options for this setting are mutually exclusive: + 0 = Scan incoming and outgoing files (default) 1 = Scan incoming files only -2 = Scan outgoing files only +2 = Scan outgoing files only. Any other value, or if the value doesn't exist, resolves to the default (0). @@ -2238,8 +2276,9 @@ Any other value, or if the value doesn't exist, resolves to the default (0). This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: + 1 = Quick Scan (default) -2 = Full Scan +2 = Full Scan. - If you enable this setting, the scan type will be set to the specified value. @@ -2368,15 +2407,8 @@ This policy setting allows you to specify the time of day at which to perform a This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: -(0x0) Every Day -(0x1) Sunday -(0x2) Monday -(0x3) Tuesday -(0x4) Wednesday -(0x5) Thursday -(0x6) Friday -(0x7) Saturday -(0x8) Never (default) + +(0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) - If you enable this setting, a scheduled scan will run at the frequency specified. @@ -2564,7 +2596,7 @@ If you disable or don't configure this setting, security intelligence will be re -This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares". For Example: `{ InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }` @@ -2744,10 +2776,8 @@ This policy setting allows you to specify an interval at which to check for secu This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: -(0x0) Always prompt -(0x1) Send safe samples automatically -(0x2) Never send -(0x3) Send all samples automatically. + +(0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send all samples automatically. @@ -2815,12 +2845,14 @@ Possible options are: This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken. Valid threat alert levels are: + 1 = Low 2 = Medium 4 = High -5 = Severe +5 = Severe. Valid remediation action values are: + 2 = Quarantine 3 = Remove 6 = Ignore. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 85af3b232c..d38b2f6b8f 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1509,8 +1509,11 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts Set this policy to restrict peer selection via selected option. Options available are: + 0 = NAT. + 1 = Subnet mask. + 2 = Local discovery (DNS-SD). The default value has changed from 0 (no restriction) to 1 (restrict to the subnet). diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 1389673315..54c24ec458 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -43,8 +43,9 @@ This policy setting allows you to specify a list of Plug and Play hardware IDs a When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: - - Prevent installation of devices that match these device IDs - - Prevent installation of devices that match any of these device instance IDs +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs. + If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] @@ -145,7 +146,8 @@ This policy setting allows you to specify a list of Plug and Play device instanc When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: - - Prevent installation of devices that match any of these device instance IDs +- Prevent installation of devices that match any of these device instance IDs. + If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] @@ -248,9 +250,10 @@ This policy setting allows you to specify a list of device setup class globally When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: - - Prevent installation of devices for these device classes - - Prevent installation of devices that match these device IDs - - Prevent installation of devices that match any of these device instance IDs +- Prevent installation of devices for these device classes +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs. + If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. > [!NOTE] @@ -357,31 +360,31 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: -Device instance IDs > Device IDs > Device setup class > Removable devices +Device instance IDs > Device IDs > Device setup class > Removable devices. -Device instance IDs +Device instance IDs. 1. Prevent installation of devices using drivers that match these device instance IDs -2. Allow installation of devices using drivers that match these device instance IDs +2. Allow installation of devices using drivers that match these device instance IDs. -Device IDs +Device IDs. 3. Prevent installation of devices using drivers that match these device IDs -4. Allow installation of devices using drivers that match these device IDs +4. Allow installation of devices using drivers that match these device IDs. -Device setup class +Device setup class. 5. Prevent installation of devices using drivers that match these device setup classes -6. Allow installation of devices using drivers that match these device setup classes +6. Allow installation of devices using drivers that match these device setup classes. -Removable devices +Removable devices. -7. Prevent installation of removable devices +7. Prevent installation of removable devices. > [!NOTE] > This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. -If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. +If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..". policy settings have precedence over any other policy setting that allows Windows to install a device. diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index e8c6feb635..9481c59de0 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -4,7 +4,7 @@ description: Learn more about the Education Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -38,6 +38,7 @@ ms.topic: reference This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. + - If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. - If you enable or don't configure this policy setting, users will be able to access graphing functionality. @@ -144,6 +145,7 @@ The policy value is expected to be the name (network host name) of an installed This policy setting allows you to control whether EDU-specific theme packs are available in Settings > Personalization. + - If you disable or don't configure this policy setting, EDU-specific theme packs won't be included. - If you enable this policy setting, users will be able to personalize their devices with EDU-specific themes. @@ -246,7 +248,7 @@ This policy setting allows tenant to control whether to declare this OS as an ed Prevents users from using familiar methods to add local and network printers. -- If this policy setting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. +- If this policy setting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer). This setting also removes Add Printer from the Printers folder in Control Panel. Also, users can't add printers by dragging a printer icon into the Printers folder. If they try, a message appears explaining that the setting prevents the action. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index f96eb7a075..98e5bc674b 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,7 +42,9 @@ ms.topic: reference This policy setting determines whether history of Clipboard contents can be stored in memory. - If you enable this policy setting, history of Clipboard contents are allowed to be stored. + - If you disable this policy setting, history of Clipboard contents aren't allowed to be stored. + Policy change takes effect immediately. @@ -168,6 +170,7 @@ This policy is deprecated. This policy setting specifies whether Cortana is allowed on the device. - If you enable or don't configure this setting, Cortana will be allowed on the device. + - If you disable this setting, Cortana will be turned off. When Cortana is off, users will still be able to use search to find things on the device. @@ -603,6 +606,7 @@ Allow SIM error dialog prompts when no SIM is inserted. Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. - If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. + - If you disable this policy setting, Spotlight collection won't show as an option in Personalization Settings, and the user won't have the choice of getting Microsoft daily images shown on their desktop. @@ -714,6 +718,7 @@ Allows or disallows all Windows sync settings on the device. For information abo This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. - If you enable this policy setting, Windows won't use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. + - If you disable or don't configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value. > [!NOTE] @@ -1016,6 +1021,7 @@ Prior to Windows 10, version 1803, this policy had User scope. This policy allow Specifies whether to turn off all Windows spotlight features at once. - If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. + - If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Most restricted value is 0. @@ -1082,6 +1088,7 @@ Specifies whether to turn off all Windows spotlight features at once. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. - If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. + - If you disable or don't configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. Most restricted value is 0. @@ -1212,6 +1219,7 @@ This policy allows IT admins to turn off Suggestions in Settings app. These sugg This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. - If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. + - If you disable or don't configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 34a00c32b7..048fcaf893 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1500,7 +1500,7 @@ For more information, see This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) +Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer). - If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: @@ -2066,22 +2066,26 @@ Enables you to configure up to three versions of Microsoft Edge to open a redire If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur: - - If you disable or don't configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. - - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: +- If you disable or don't configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. + +- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: + 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later -4 = Microsoft Edge Canary version 77 or later +4 = Microsoft Edge Canary version 77 or later. If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel aren't installed, the following behaviors occur: - - If you disable or don't configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. - - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: +- If you disable or don't configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. + +- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: + 0 = Microsoft Edge version 45 or earlier 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later -4 = Microsoft Edge Canary version 77 or later +4 = Microsoft Edge Canary version 77 or later. - For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see< https://go.microsoft.com/fwlink/?linkid=2102115>. This update applies only to Windows 10 version 1709 and higher. @@ -3117,8 +3121,9 @@ This policy setting prevents Internet Explorer from running the First Run wizard - If you enable this policy setting, you must make one of the following choices: - - Skip the First Run wizard, and go directly to the user's home page. - - Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. +- Skip the First Run wizard, and go directly to the user's home page. + +- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. Starting with Windows 8, the "Welcome to Internet Explorer" webpage isn't available. The user's home page will display regardless of which option is chosen. @@ -3568,10 +3573,13 @@ This policy lets you restrict launching of Internet Explorer as a standalone bro If you enable this policy, it: - - Prevents Internet Explorer 11 from launching as a standalone browser. - - Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'. - - Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. - - Overrides any other policies that redirect to Internet Explorer 11. +- Prevents Internet Explorer 11 from launching as a standalone browser. + +- Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'. + +- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. + +- Overrides any other policies that redirect to Internet Explorer 11. If you disable, or don't configure this policy, all sites are opened using the current active browser settings. @@ -4170,7 +4178,7 @@ When Enhanced Protected Mode is enabled, and a user encounters a website that at Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. -- If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) +- If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button). - If you disable this policy or don't configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. @@ -4374,9 +4382,9 @@ This policy setting allows you to manage a list of domains on which Internet Exp - If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: 1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include https://example, use "example" +2. "hostname". For example, if you want to include https://example, use "example". -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" +3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm". - If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. @@ -4505,6 +4513,7 @@ For more information, see This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. + The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. - If you enable this policy, Internet Explorer mode will use the global window list. @@ -7878,8 +7887,8 @@ We strongly recommend keeping this policy in sync with the 'Send all intranet si Related policies: - - Send all intranet sites to Internet Explorer ('SendIntranetToInternetExplorer') - - Send all sites not included in the Enterprise Mode Site List to Microsoft Edge ('RestrictIE') +- Send all intranet sites to Internet Explorer ('SendIntranetToInternetExplorer') +- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge ('RestrictIE') For more info about how to use this policy together with other related policies to create the optimal configuration for your organization, see< https://go.microsoft.com/fwlink/?linkid=2094210>. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 2b2d6da783..3368906aa4 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -226,7 +226,7 @@ This policy setting controls whether a device will request claims and compound a This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. -- If you enable this policy, you will be able to configure one of four states for each algorithm: +- If you enable this policy, you'll be able to configure one of four states for each algorithm: - "Default" sets the algorithm to the recommended state. diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index e76faff2df..45c8c19788 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -4,7 +4,7 @@ description: Learn more about the LanmanWorkstation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -43,7 +43,7 @@ This policy setting determines if the SMB client will allow insecure guest logon - If you disable this policy setting, the SMB client will reject insecure guest logons. -Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access." +Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access". diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 48bbbb7152..430bd00cd2 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -4,7 +4,7 @@ description: Learn more about the Licensing Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -38,11 +38,12 @@ ms.topic: reference This policy setting controls whether OS Reactivation is blocked on a device. + Policy Options: - - Not Configured (default -- Windows registration and reactivation is allowed) - - Disabled (Windows registration and reactivation isn't allowed) - - Enabled (Windows registration is allowed) +- Not Configured (default -- Windows registration and reactivation is allowed) +- Disabled (Windows registration and reactivation isn't allowed) +- Enabled (Windows registration is allowed) @@ -106,12 +107,14 @@ Policy Options: This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. + If you disable or don't configure this policy setting, KMS client activation data will be sent to Microsoft services when this device activates. + Policy Options: - - Not Configured (default -- data will be automatically sent to Microsoft) - - Disabled (data will be automatically sent to Microsoft) - - Enabled (data won't be sent to Microsoft) +- Not Configured (default -- data will be automatically sent to Microsoft) +- Disabled (data will be automatically sent to Microsoft) +- Enabled (data won't be sent to Microsoft) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8af0dde209..3a0caa4237 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -335,7 +335,7 @@ Accounts: Rename administrator account This security setting determines whether -Accounts: Rename guest account This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. +Accounts: Rename guest account This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest". Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. @@ -497,6 +497,7 @@ Devices: Allow undock without having to log on This security setting determines Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. - If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. + - If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting doesn't affect the ability to add a local printer. This setting doesn't affect Administrators. @@ -1054,6 +1055,7 @@ Interactive logon: Smart card removal behavior This security setting determines Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. + - If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled. > [!IMPORTANT] @@ -1121,6 +1123,7 @@ Microsoft network client: Digitally sign communications (always) This security s Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. + - If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled. > [!NOTE] @@ -1243,6 +1246,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. + - If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. > [!NOTE] @@ -1310,6 +1314,7 @@ Microsoft network server: Digitally sign communications (always) This security s Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. + - If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only. > [!IMPORTANT] @@ -1372,7 +1377,9 @@ Microsoft network server: Digitally sign communications (if client agrees) This Network access: Allow anonymous SID/name translation This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user. + - If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation. + - If this policy setting is disabled, an anonymous user can't request the SID attribute for another user. Default on workstations and member servers: Disabled. Default on domain controllers running Windows Server 2008 or later: Disabled. Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled. @@ -1659,6 +1666,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy Network security: Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. + - If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008. > [!NOTE] @@ -2091,7 +2099,9 @@ Network security: Minimum session security for NTLM SSP based (including secure Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. + - If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. + - If you don't configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index cc236267c3..de3dcc67d2 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -4,7 +4,7 @@ description: Learn more about the LocalUsersAndGroups Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,7 +42,6 @@ Possible settings: 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. When using Update, existing group members that aren't specified in the policy remain untouched. - 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. When using Replace, existing group membership is replaced by the list of members specified in the add member section. This option works in the same way as a Restricted Group and any group diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index a3113f2aed..6bf3263e8a 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -400,25 +400,32 @@ This policy setting specifies a set of parameters for controlling the Windows NT - If you disable or don't configure this policy setting, the Windows NTP Client uses the defaults of each of the following parameters. -NtpServer +NtpServer. + The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where "flags" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is "time.windows.com,0x09". -Type +Type. + This value controls the authentication that W32time uses. The default value is NT5DS. -CrossSiteSyncFlags +CrossSiteSyncFlags. + This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client shouldn't attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value isn't set. The default value is 2 decimal (0x02 hexadecimal). -ResolvePeerBackoffMinutes +ResolvePeerBackoffMinutes. + This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. -ResolvePeerBackoffMaxTimes +ResolvePeerBackoffMaxTimes. + This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. -SpecialPollInterval +SpecialPollInterval. + This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that's set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. -EventLogFlags +EventLogFlags. + This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it's a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 2d2008a5b7..372eef8d37 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -4,7 +4,7 @@ description: Learn more about the NetworkIsolation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,7 +45,7 @@ Contains a list of Enterprise resource domains hosted in the cloud. Connections If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the Intranet proxy servers for apps policy. -Example: [cloudresource]|[cloudresource]|[cloudresource],[proxy]|[cloudresource]|[cloudresource],[proxy]| +Example: [cloudresource]|[cloudresource]|[cloudresource],[proxy]|[cloudresource]|[cloudresource],[proxy]|. For more information see: diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 6a7e6d6ca2..d6ebc245a3 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -4,7 +4,7 @@ description: Learn more about the NewsAndInterests Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -38,7 +38,9 @@ ms.topic: reference This policy specifies whether the widgets feature is allowed on the device. + Widgets will be turned on by default unless you change this in your settings. + If you turned this feature on before, it will stay on automatically unless you turn it off. diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 9baca25d58..65ea9ad54a 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -4,7 +4,7 @@ description: Learn more about the Notifications Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -262,6 +262,7 @@ No reboots or service restarts are required for this policy setting to take effe This policy setting turns on multiple expanded toast notifications in action center. - If you enable this policy setting, the first three notifications of each application will be expanded by default in action center. + - If you disable or don't configure this policy setting, only the first notification of each application will be expanded by default in action center. Windows 10 only. This will be immediately deprecated for Windows 11. No reboots or service restarts are required for this policy setting to take effect. diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 496798b187..1df08d3e35 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -4,7 +4,7 @@ description: Learn more about the Power Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -689,7 +689,7 @@ Possible actions include: -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you enable this policy setting, you must select the desired action. @@ -765,7 +765,7 @@ Possible actions include: -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you enable this policy setting, you must select the desired action. @@ -841,7 +841,7 @@ Possible actions include: -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you enable this policy setting, you must select the desired action. @@ -917,7 +917,7 @@ Possible actions include: -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you enable this policy setting, you must select the desired action. @@ -993,7 +993,7 @@ Possible actions include: -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you enable this policy setting, you must select the desired action. @@ -1069,7 +1069,7 @@ Possible actions include: -Take no action -Sleep -Hibernate --Shut down +-Shut down. - If you enable this policy setting, you must select the desired action. diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index a21ad776d3..0236d23909 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -4,7 +4,7 @@ description: Learn more about the Printers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -380,9 +380,9 @@ You can enable this setting to configure the Redirection Guard policy being appl - If you enable this setting you may select the following options: -- Enabled: Redirection Guard will prevent any file redirections from being followed +- Enabled: Redirection Guard will prevent any file redirections from being followed. -- Disabled: Redirection Guard won't be enabled and file redirections may be used within the spooler process +- Disabled: Redirection Guard won't be enabled and file redirections may be used within the spooler process. - Audit: Redirection Guard will log events as though it were enabled but won't actually prevent file redirections from being used within the spooler. @@ -499,14 +499,14 @@ By default, RPC over TCP is used and authentication is always enabled. For RPC o Protocol to use for outgoing RPC connections: - - "RPC over TCP": Use RPC over TCP for outgoing RPC connections to a remote print spooler - - "RPC over named pipes": Use RPC over named pipes for outgoing RPC connections to a remote print spooler +- "RPC over TCP": Use RPC over TCP for outgoing RPC connections to a remote print spooler +- "RPC over named pipes": Use RPC over named pipes for outgoing RPC connections to a remote print spooler. Use authentication for outgoing RPC over named pipes connections: - - "Default": By default domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes - - "Authentication enabled": RPC authentication will be used for outgoing RPC over named pipes connections - - "Authentication disabled": RPC authentication won't be used for outgoing RPC over named pipes connections +- "Default": By default domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes +- "Authentication enabled": RPC authentication will be used for outgoing RPC over named pipes connections +- "Authentication disabled": RPC authentication won't be used for outgoing RPC over named pipes connections. If you disable or don't configure this policy setting, the above defaults will be used. @@ -568,14 +568,14 @@ By default, RPC over TCP is enabled and Negotiate is used for the authentication Protocols to allow for incoming RPC connections: - - "RPC over named pipes": Incoming RPC connections are only allowed over named pipes - - "RPC over TCP": Incoming RPC connections are only allowed over TCP (the default option) - - "RPC over named pipes and TCP": Incoming RPC connections will be allowed over TCP and named pipes +- "RPC over named pipes": Incoming RPC connections are only allowed over named pipes +- "RPC over TCP": Incoming RPC connections are only allowed over TCP (the default option) +- "RPC over named pipes and TCP": Incoming RPC connections will be allowed over TCP and named pipes. Authentication protocol to use for incoming RPC connections: - - "Negotiate": Use the Negotiate authentication protocol (the default option) - - "Kerberos": Use the Kerberos authentication protocol +- "Negotiate": Use the Negotiate authentication protocol (the default option) +- "Kerberos": Use the Kerberos authentication protocol. If you disable or don't configure this policy setting, the above defaults will be used. @@ -637,7 +637,7 @@ By default dynamic TCP ports are used. RPC over TCP port: - - The port to use for RPC over TCP. A value of 0 is the default and indicates that dynamic TCP ports will be used +- The port to use for RPC over TCP. A value of 0 is the default and indicates that dynamic TCP ports will be used. If you disable or don't configure this policy setting, dynamic TCP ports are used. @@ -880,21 +880,29 @@ This policy setting controls the client Point and Print behavior, including the - If you enable this policy setting: -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. + -You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. - If you don't configure this policy setting: -Windows Vista client computers can point and print to any server. + -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - If you disable this policy setting: -Windows Vista client computers can create a printer connection to any server using Point and Print. + -Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). @@ -955,21 +963,29 @@ This policy setting controls the client Point and Print behavior, including the - If you enable this policy setting: -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. + -You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. - If you don't configure this policy setting: -Windows Vista client computers can point and print to any server. + -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - If you disable this policy setting: -Windows Vista client computers can create a printer connection to any server using Point and Print. + -Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index be4b3f472d..28175d1f22 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -92,7 +92,9 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con This policy setting determines whether Clipboard contents can be synchronized across devices. - If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. + - If you disable this policy setting, Clipboard contents can't be shared to other devices. + Policy change takes effect immediately. @@ -375,7 +377,9 @@ In some managed environments, the privacy settings may be set by other policies. This policy setting determines whether ActivityFeed is enabled. - If you enable this policy setting, all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the user. + - If you disable this policy setting, activities can't be published and ActivityFeed shall disable cloud sync. + Policy change takes effect immediately. @@ -6569,7 +6573,9 @@ If an app is open when this Group Policy object is applied on a device, employee This policy setting determines whether User Activities can be published. - If you enable this policy setting, activities of type User Activity are allowed to be published. + - If you disable this policy setting, activities of type User Activity aren't allowed to be published. + Policy change takes effect immediately. @@ -6638,8 +6644,11 @@ For more information, see [Windows activity history and your privacy](https://su This policy setting determines whether published User Activities can be uploaded. - If you enable this policy setting, activities of type User Activity are allowed to be uploaded. + - If you disable this policy setting, activities of type User Activity aren't allowed to be uploaded. + Deletion of activities of type User Activity are independent of this setting. + Policy change takes effect immediately. diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 91aca6c11a..e241740d64 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -4,7 +4,7 @@ description: Learn more about the RemoteAssistance Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -173,7 +173,7 @@ This policy setting allows you to turn on or turn off Solicited (Ask for) Remote - If you don't configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. -- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." +- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer". The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. @@ -242,35 +242,37 @@ This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote - If you don't configure this policy setting, users on this computer can't get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. +- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer". When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. -To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: +To configure the list of helpers, click "Show". In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: -``\\`` or +``\\`` or. ``\\`` - If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. -Windows Vista and later +Windows Vista and later. Enable the Remote Assistance exception for the domain profile. The exception must contain: + Port 135:TCP %WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe +%WINDIR%\System32\raserver.exe. Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) Port 135:TCP %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe +%WINDIR%\System32\Sessmgr.exe. For computers running Windows Server 2003 with Service Pack 1 (SP1) Port 135:TCP %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe. + Allow Remote Desktop Exception. diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index a8fd231e77..44e7a1f931 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -4,7 +4,7 @@ description: Learn more about the RemoteDesktopServices Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -116,9 +116,9 @@ Specifies whether to require the use of a specific encryption level to secure co - If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy. -Important +Important. -FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. +FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options). The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 20898c239f..550fbeae03 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -228,7 +228,9 @@ This policy controls whether the user can configure search to *Find My Files* mo This policy setting allows encrypted items to be indexed. - If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). + - If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting isn't configured by default. + - If you don't configure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled, the index is rebuilt completely. @@ -483,7 +485,9 @@ This policy has been deprecated. This policy setting allows words that contain diacritic characters to be treated as separate words. - If you enable this policy setting, words that only differ in diacritics are treated as different words. + - If you disable this policy setting, words with diacritics and words without diacritics are treated as identical words. This policy setting isn't configured by default. + - If you don't configure this policy setting, the local setting, configured through Control Panel, will be used. > [!NOTE] @@ -596,6 +600,7 @@ Allow Windows indexer. Value type is integer. This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing history. - If you enable this policy setting, Windows will always use automatic language detection to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this policy setting only on PCs where documents are stored in many languages. + - If you disable or don't configure this policy setting, Windows will use automatic language detection only when it can determine the language of a document with high confidence. diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index c4560c25f4..8ed5d9c722 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -4,7 +4,7 @@ description: Learn more about the Settings Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -730,11 +730,11 @@ This policy has two modes: it can either specify a list of settings pages to sho Example: to specify that only the About and Bluetooth pages should be shown (their respective URIs are ms-settings:about and ms-settings:bluetooth) and all other pages hidden: -showonly:about;bluetooth +showonly:about;bluetooth. Example: to specify that only the Bluetooth page (which has URI ms-settings:bluetooth) should be hidden: -hide:bluetooth +hide:bluetooth. The availability of per-user support is documented here: diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 7cb8b3629e..65fcee902c 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -4,7 +4,7 @@ description: Learn more about the SmartScreen Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -41,13 +41,13 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot - If you enable this setting, you must choose from the following behaviors: -- Turn off app recommendations +- Turn off app recommendations. -- Show me app recommendations +- Show me app recommendations. -- Warn me before installing apps from outside the Store +- Warn me before installing apps from outside the Store. -- Allow apps from Store only +- Allow apps from Store only. - If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet. @@ -123,7 +123,7 @@ Some information is sent to Microsoft about files and programs run on PCs with t - If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: - Warn and prevent bypass -- Warn +- Warn. - If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. @@ -201,7 +201,7 @@ Some information is sent to Microsoft about files and programs run on PCs with t - If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: - Warn and prevent bypass -- Warn +- Warn. - If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs won't present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 4b2f62cf0c..a4e21ea68d 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1998,6 +1998,7 @@ To validate this policy, do the following steps: This policy setting allows you to control pinning programs to the Taskbar. - If you enable this policy setting, users can't change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users can't unpin these programs already pinned to the Taskbar, and they can't pin new programs to the Taskbar. + - If you disable or don't configure this policy setting, users can change the programs currently pinned to the Taskbar. @@ -2203,6 +2204,7 @@ Note configuring this policy to "Show" or "Hide" on supported versions of Window Specifies the Start layout for users. This setting lets you specify the Start layout for users and prevents them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. + To use this setting, you must first manually configure a device's Start layout to the desired look and feel. Once you are done, run the Export-StartLayout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured. Once the XML file is generated and moved to the desired file path, type the fully qualified path and name of the XML file. You can type a local path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Server\Share\Layout.xml. If the specified file isn't available when the user logs on, the layout won't be changed. Users can't customize their Start screen while this setting is enabled. diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index da0068fd9c..18fc7fc7db 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -4,7 +4,7 @@ description: Learn more about the Storage Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,12 +42,15 @@ ms.topic: reference Allows downloading new updates to ML Model parameters for predicting storage disk failure. Enabled: + Updates would be downloaded for the Disk Failure Prediction Failure Model. Disabled: + Updates wouldn't be downloaded for the Disk Failure Prediction Failure Model. Not configured: + Same as Enabled. @@ -114,12 +117,15 @@ Same as Enabled. Storage Sense can automatically clean some of the user's files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy. Enabled: + Storage Sense is turned on for the machine, with the default cadence as 'during low free disk space'. Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy). Disabled: + Storage Sense is turned off the machine. Users can't enable Storage Sense. Not Configured: + By default, Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. @@ -188,12 +194,15 @@ When Storage Sense runs, it can delete the user's temporary files that aren't in If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect. Enabled: + Storage Sense will delete the user's temporary files that aren't in use. Users can't disable this setting in Storage settings. Disabled: + Storage Sense won't delete the user's temporary files. Users can't enable this setting in Storage settings. Not Configured: + By default, Storage Sense will delete the user's temporary files. Users can configure this setting in Storage settings. @@ -262,10 +271,13 @@ When Storage Sense runs, it can dehydrate cloud-backed content that hasn't been If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect. Enabled: + You must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365. + If you set this value to zero, Storage Sense won't dehydrate any cloud-backed content. The default value is 0, or never dehydrating cloud-backed content. Disabled or Not Configured: + By default, Storage Sense won't dehydrate any cloud-backed content. Users can configure this setting in Storage settings. @@ -325,10 +337,13 @@ When Storage Sense runs, it can delete files in the user's Downloads folder if t If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect. Enabled: + You must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365. + If you set this value to zero, Storage Sense won't delete files in the user's Downloads folder. The default is 0, or never deleting files in the Downloads folder. Disabled or Not Configured: + By default, Storage Sense won't delete files in the user's Downloads folder. Users can configure this setting in Storage settings. @@ -388,9 +403,11 @@ Storage Sense can automatically clean some of the user's files to free up disk s If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect. Enabled: + You must provide the desired Storage Sense cadence. Supported options are: daily, weekly, monthly, and during low free disk space. The default is 0 (during low free disk space). Disabled or Not Configured: + By default, the Storage Sense cadence is set to "during low free disk space". Users can configure this setting in Storage settings. @@ -457,10 +474,13 @@ When Storage Sense runs, it can delete files in the user's Recycle Bin if they'v If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect. Enabled: + You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0 - 365. + If you set this value to zero, Storage Sense won't delete files in the user's Recycle Bin. The default is 30 days. Disabled or Not Configured: + By default, Storage Sense will delete files in the user's Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings. @@ -581,7 +601,7 @@ This policy setting denies write access to removable disks. - If you disable or don't configure this policy setting, write access is allowed to this removable storage class. > [!NOTE] -> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives". diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index fe0d8004e6..3675d15cfb 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -112,13 +112,16 @@ This policy is only supported up to Windows 10, Version 1703. Please use 'Manage AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>. + To enable this behavior: 1. Enable this policy setting -2. Join an Azure Active Directory account to the device +2. Join an Azure Active Directory account to the device. + +Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device. -Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing". + See the documentation at for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. @@ -187,15 +190,17 @@ See the documentation at for i This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>. + To enable this behavior: 1. Enable this policy setting -2. Join an Azure Active Directory account to the device +2. Join an Azure Active Directory account to the device. 3. Set Allow Telemetry to value 1 - Required, or higher -4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace +4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. + This setting has no effect on devices unless they're properly enrolled in Desktop Analytics. If you disable this policy setting, devices won't appear in Desktop Analytics. @@ -675,12 +680,15 @@ Controls whether the user is allowed to use the storage card for device storage. By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and doesn't apply to any additional apps installed by your organization. - Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. + - Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the "Optional diagnostic data" control in the Settings app. + - Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent. If you disable or don't configure this policy setting, the device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app. Note: + The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection settings. @@ -745,15 +753,17 @@ The "Configure diagnostic data opt-in settings user interface" group policy can This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>. + To enable this behavior: 1. Enable this policy setting -2. Join an Azure Active Directory account to the device +2. Join an Azure Active Directory account to the device. 3. Set Allow Telemetry to value 1 - Required, or higher -4. Set the Configure the Commercial ID setting for your Update Compliance workspace +4. Set the Configure the Commercial ID setting for your Update Compliance workspace. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. + If you disable or don't configure this policy setting, devices won't appear in Update Compliance. @@ -868,14 +878,16 @@ Specifies whether to allow the user to factory reset the device by using control This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>. + To enable this behavior: 1. Enable this policy setting -2. Join an Azure Active Directory account to the device +2. Join an Azure Active Directory account to the device. -3. Set Allow Telemetry to value 1 - Required, or higher +3. Set Allow Telemetry to value 1 - Required, or higher. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. + If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features. @@ -942,12 +954,15 @@ If you disable or don't configure this policy setting, devices enrolled to the W This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - - Good: The driver has been signed and hasn't been tampered with. - - Bad: The driver has been identified as malware. It's recommended that you don't allow known bad drivers to be initialized. - - Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver. - - Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver. +- Good: The driver has been signed and hasn't been tampered with. -- If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. +- Bad: The driver has been identified as malware. It's recommended that you don't allow known bad drivers to be initialized. + +- Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver. + +- Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver. + +- If you enable this policy setting you'll be able to choose which boot-start drivers to initialize the next time the computer is started. - If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. @@ -1009,6 +1024,7 @@ If your malware detection application doesn't include an Early Launch Antimalwar This policy sets the upload endpoint for this device's diagnostic data as part of the Desktop Analytics program. If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. + The value for this setting will be provided by Microsoft as part of the onboarding process for the program. @@ -1135,6 +1151,7 @@ If you set this policy setting to "Disable diagnostic data opt-in settings", dia If you don't configure this policy setting, or you set it to "Enable diagnostic data opt-in settings", end users can change the device diagnostic settings in the Settings app. Note: + To set a limit on the amount of diagnostic data that's sent to Microsoft by your organization, use the "Allow Diagnostic Data" policy setting. @@ -1454,9 +1471,13 @@ This policy setting lets you prevent apps and features from working with files o - If you enable this policy setting: * Users can't access OneDrive from the OneDrive app and file picker. + * Windows Store apps can't access OneDrive using the WinRT API. + * OneDrive doesn't appear in the navigation pane in File Explorer. + * OneDrive files aren't kept in sync with the cloud. + * Users can't automatically upload photos and videos from the camera roll folder. - If you disable or don't configure this policy setting, apps and features can work with OneDrive file storage. @@ -1972,10 +1993,10 @@ This policy setting, in combination with the "Allow Diagnostic Data" policy sett To enable the behavior described above, complete the following steps: 1. Enable this policy setting -2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data" +2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data". 3. Enable the "Limit Dump Collection" policy -4. Enable the "Limit Diagnostic Log Collection" policy +4. Enable the "Limit Diagnostic Log Collection" policy. When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at< https://go.microsoft.com/fwlink/?linkid=2116020>. diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index 0015fd1d3c..423c7eb410 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -4,7 +4,7 @@ description: Learn more about the TenantRestrictions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,6 +49,7 @@ When you enable this setting, compliant applications will be prevented from acce Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting isn't supported on all versions of Windows - see the following link for more information. + For details about setting up WDAC with tenant restrictions, see diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 8cf24f2de2..7e5bd5f9ea 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -4,7 +4,7 @@ description: Learn more about the TextInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -658,11 +658,11 @@ Allows the user to turn on or off the automatic downloading of newer versions of -This policy setting controls the version of Microsoft IME. +This policy setting controls the version of Microsoft IME. -- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. +- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. - If you disable this, user isn't allowed to control IME version to use. The new Microsoft IME is always selected. @@ -733,11 +733,11 @@ This Policy setting applies only to Microsoft Japanese IME. -This policy setting controls the version of Microsoft IME. +This policy setting controls the version of Microsoft IME. -- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. +- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. - If you disable this, user isn't allowed to control IME version to use. The new Microsoft IME is always selected. @@ -799,11 +799,11 @@ This Policy setting applies only to Microsoft Korean IME. -This policy setting controls the version of Microsoft IME. +This policy setting controls the version of Microsoft IME. -- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. +- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. - If you disable this, user isn't allowed to control IME version to use. The new Microsoft IME is always selected. @@ -874,11 +874,11 @@ This Policy setting applies only to Microsoft Simplified Chinese IME. -This policy setting controls the version of Microsoft IME. +This policy setting controls the version of Microsoft IME. -- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. +- If you enable this, user isn't allowed to control IME version to use. The previous version of Microsoft IME is always selected. - If you disable this, user isn't allowed to control IME version to use. The new Microsoft IME is always selected. diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index 5d793747db..a2c178b25b 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -4,7 +4,7 @@ description: Learn more about the Troubleshooting Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,23 +42,31 @@ This policy setting configures how troubleshooting for known problems can be app Not configuring this policy setting will allow the user to configure how troubleshooting is applied. Enabling this policy allows you to configure how troubleshooting is applied on the user's device. You can select from one of the following values: + 0 = Don't allow users, system features, or Microsoft to apply troubleshooting. + 1 = Only automatically apply troubleshooting for critical problems by system features and Microsoft. + 2 = Automatically apply troubleshooting for critical problems by system features and Microsoft. Notify users when troubleshooting for other problems is available and allow users to choose to apply or ignore. + 3 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Notify users when troubleshooting has solved a problem. + 4 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Don't notify users when troubleshooting has solved a problem. + 5 = Allow the user to choose their own troubleshooting settings. After setting this policy, you can use the following instructions to check devices in your domain for available troubleshooting from Microsoft: 1. Create a bat script with the following contents: -rem The following batch script triggers Recommended Troubleshooting -schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" + +rem The following batch script triggers Recommended Troubleshooting schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner". 2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. + 3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7). 4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox. + 5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1. 6. Configure the task to deploy to your domain. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 022286e154..7bf033e87e 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -363,7 +363,7 @@ The maintenance wakeup policy specifies if Automatic Maintenance should make a w Enable this policy to specify when to receive Feature Updates. -Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo +Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo. Pause Updates | To prevent Feature Updates from being offered to the device, you can temporarily pause Feature Updates. This pause will remain in effect for 35 days from the specified start date or until the field is cleared. Note, Quality Updates will still be offered even if Feature Updates are paused. @@ -433,7 +433,7 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you Enable this policy to specify when to receive Feature Updates. -Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo +Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo. Pause Updates | To prevent Feature Updates from being offered to the device, you can temporarily pause Feature Updates. This pause will remain in effect for 35 days from the specified start date or until the field is cleared. Note, Quality Updates will still be offered even if Feature Updates are paused. @@ -679,22 +679,25 @@ If you disable or don't configure this policy, Windows Update will include updat Enable this policy to manage which updates you receive prior to the update being released to the world. -Dev Channel +Dev Channel. + Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that's earliest in a development cycle. These builds aren't matched to a specific Windows 10 release. -Beta Channel +Beta Channel. + Ideal for feature explorers who want to see upcoming Windows 10 features. Your feedback will be especially important here as it will help our engineers ensure key issues are fixed before a major release. Release Preview Channel (default) Insiders in the Release Preview Channel will have access to the upcoming release of Windows 10 prior to it being released to the world. These builds are supported by Microsoft. The Release Preview Channel is where we recommend companies preview and validate upcoming Windows 10 releases before broad deployment within their organization. -Release Preview Channel, Quality Updates Only +Release Preview Channel, Quality Updates Only. + Ideal for those who want to validate the features and fixes coming soon to their current version. Note, released feature updates will continue to be offered in accordance with configured policies when this option is selected. > [!NOTE] > Preview Build enrollment requires a telemetry level setting of 2 or higher and your domain registered on insider.windows.com. For additional information on Preview Builds, see: -If you disable or don't configure this policy, Windows Update won't offer you any pre-release updates and you will receive such content once released to the world. Disabling this policy will cause any devices currently on a pre-release build to opt out and stay on the latest Feature Update once released. +If you disable or don't configure this policy, Windows Update won't offer you any pre-release updates and you'll receive such content once released to the world. Disabling this policy will cause any devices currently on a pre-release build to opt out and stay on the latest Feature Update once released. @@ -760,7 +763,7 @@ If you disable or don't configure this policy, Windows Update won't offer you an Enable this policy to specify when to receive Feature Updates. -Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo +Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo. Pause Updates | To prevent Feature Updates from being offered to the device, you can temporarily pause Feature Updates. This pause will remain in effect for 35 days from the specified start date or until the field is cleared. Note, Quality Updates will still be offered even if Feature Updates are paused. @@ -1008,13 +1011,13 @@ Specifies the date and time when the IT admin wants to start pausing the Quality Enter the product and version as listed on the Windows Update target version page: -aka.ms/WindowsTargetVersioninfo +aka.ms/WindowsTargetVersioninfo. The device will request that Windows Update product and version in subsequent scans. Entering a target product and clicking OK or Apply means I accept the Microsoft Software License Terms for it found at aka.ms/WindowsTargetVersioninfo. If an organization is licensing the software, I am authorized to bind the organization. -If you enter an invalid value, you will remain on your current version until you correct the values to a supported product and version. +If you enter an invalid value, you'll remain on your current version until you correct the values to a supported product and version. @@ -1076,13 +1079,13 @@ Supported value type is a string containing a Windows product. For example, "Win Enter the product and version as listed on the Windows Update target version page: -aka.ms/WindowsTargetVersioninfo +aka.ms/WindowsTargetVersioninfo. The device will request that Windows Update product and version in subsequent scans. Entering a target product and clicking OK or Apply means I accept the Microsoft Software License Terms for it found at aka.ms/WindowsTargetVersioninfo. If an organization is licensing the software, I am authorized to bind the organization. -If you enter an invalid value, you will remain on your current version until you correct the values to a supported product and version. +If you enter an invalid value, you'll remain on your current version until you correct the values to a supported product and version. @@ -1892,6 +1895,7 @@ Note that the PC must restart for certain updates to take effect. If any of the following two policies are enabled, this policy has no effect: 1. No auto-restart with logged-on users for scheduled automatic updates installations. + 2. Always automatically restart at scheduled time. Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy. @@ -2018,6 +2022,7 @@ Note that the PC must restart for certain updates to take effect. If any of the following two policies are enabled, this policy has no effect: 1. No auto-restart with logged-on users for scheduled automatic updates installations. + 2. Always automatically restart at scheduled time. Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy. @@ -2086,7 +2091,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -2252,7 +2257,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -2745,7 +2750,7 @@ Enable enterprises/IT admin to configure feature update uninstall period. 0 (default) - Use the default Windows Update notifications 1 - Turn off all notifications, excluding restart warnings -2 - Turn off all notifications, including restart warnings +2 - Turn off all notifications, including restart warnings. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. @@ -2827,7 +2832,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -2931,7 +2936,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -3029,7 +3034,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -3136,7 +3141,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -3243,7 +3248,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -3350,7 +3355,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -3457,7 +3462,7 @@ This setting lets you specify whether automatic updates are enabled on this comp When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded. After going to Windows Update, users can download and install any available updates. -3 = (Default setting) Download the updates automatically and notify when they're ready to be installed +3 = (Default setting) Download the updates automatically and notify when they're ready to be installed. Windows finds updates that apply to the computer and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to Windows Update, users can install them. @@ -3743,7 +3748,7 @@ These settings are designed for education devices that remain in carts overnight 0 (default) - Use the default Windows Update notifications 1 - Turn off all notifications, excluding restart warnings -2 - Turn off all notifications, including restart warnings +2 - Turn off all notifications, including restart warnings. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. @@ -3824,6 +3829,7 @@ If you disable or don't configure this policy, the PC will restart according to Enabling either of the following two policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations. + 2. Always automatically restart at scheduled time. @@ -3888,6 +3894,7 @@ If you disable or don't configure this policy, the PC will restart according to Enabling either of the following two policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations. + 2. Always automatically restart at scheduled time. @@ -4307,7 +4314,7 @@ If you disable or don't configure this policy, the PC will restart following the Enabling any of the following policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time +2. Always automatically restart at scheduled time. 3. Specify deadline before auto-restart for update installation. @@ -4377,7 +4384,7 @@ If you disable or don't configure this policy, the PC will restart following the Enabling any of the following policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time +2. Always automatically restart at scheduled time. 3. Specify deadline before auto-restart for update installation. @@ -4447,7 +4454,7 @@ If you disable or don't configure this policy, the PC will restart following the Enabling any of the following policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time +2. Always automatically restart at scheduled time. 3. Specify deadline before auto-restart for update installation. @@ -4517,7 +4524,7 @@ If you disable or don't configure this policy, the PC will restart following the Enabling any of the following policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time +2. Always automatically restart at scheduled time. 3. Specify deadline before auto-restart for update installation. @@ -4587,7 +4594,7 @@ If you disable or don't configure this policy, the PC will restart following the Enabling any of the following policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time +2. Always automatically restart at scheduled time. 3. Specify deadline before auto-restart for update installation. @@ -4657,7 +4664,7 @@ If you disable or don't configure this policy, the PC will restart following the Enabling any of the following policies will override the above policy: 1. No auto-restart with logged-on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time +2. Always automatically restart at scheduled time. 3. Specify deadline before auto-restart for update installation. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 72571499bb..a4df2c7458 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -172,7 +172,10 @@ This user right is used by Credential Manager during Backup/Restore. No accounts -This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services aren't affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. +This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services aren't affected by this user right. + +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. @@ -1656,7 +1659,10 @@ This user right determines which users and groups can run maintenance tasks on a -This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. Note: This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. +This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. + +> [!NOTE] +> This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 6b9c3280f6..91b3d31ed2 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -4,7 +4,7 @@ description: Learn more about the Wifi Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -116,7 +116,7 @@ ICS lets administrators configure their system as an Internet gateway for a smal - If you enable this setting, ICS can't be enabled or configured by administrators, and the ICS service can't run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. -- If you disable this setting or don't configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) +- If you disable this setting or don't configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional). By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index bd34cc6487..0c20a2e6ea 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsConnectionManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,10 +45,12 @@ This policy setting prevents computers from connecting to both a domain based ne Automatic connection attempts - When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. + - When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked. Manual connection attempts - When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. + - When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. - If this policy setting isn't configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 68793b34a9..9f244c43bf 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsDefenderSecurityCenter Area in Policy C author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -40,12 +40,15 @@ ms.topic: reference Specify the company name that will be displayed in Windows Security and associated notifications. This setting must be enabled for any contact information to appear. Enabled: + Enter the company name in the Options section. Disabled: + Company information won't be shown at all in either Windows Security or any notifications that it creates. Not configured: + Same as Disabled. @@ -102,12 +105,15 @@ Same as Disabled. Hide the Account protection area in Windows Security. Enabled: + The Account protection area will be hidden. Disabled: + The Account protection area will be shown. Not configured: + Same as Disabled. @@ -174,12 +180,15 @@ Same as Disabled. Hide the App and browser protection area in Windows Security. Enabled: + The App and browser protection area will be hidden. Disabled: + The App and browser protection area will be shown. Not configured: + Same as Disabled. @@ -246,12 +255,15 @@ Same as Disabled. Disable the Clear TPM button in Windows Security. Enabled: + The Clear TPM button will be unavailable for use. Disabled: + The Clear TPM button will be available for use. Not configured: + Same as Disabled. @@ -318,12 +330,15 @@ Same as Disabled. Hide the Device security area in Windows Security. Enabled: + The Device security area will be hidden. Disabled: + The Device security area will be shown. Not configured: + Same as Disabled. @@ -392,12 +407,15 @@ Only show critical notifications from Windows Security. If the Suppress all notifications GP setting has been enabled, this setting will have no effect. Enabled: + Local users will only see critical notifications from Windows Security. They won't see other types of notifications, such as regular PC or device health information. Disabled: + Local users will see all types of notifications from Windows Security. Not configured: + Same as Disabled. @@ -464,12 +482,15 @@ Same as Disabled. Hide the Family options area in Windows Security. Enabled: + The Family options area will be hidden. Disabled: + The Family options area will be shown. Not configured: + Same as Disabled. @@ -536,12 +557,15 @@ Same as Disabled. Hide the Device performance and health area in Windows Security. Enabled: + The Device performance and health area will be hidden. Disabled: + The Device performance and health area will be shown. Not configured: + Same as Disabled. @@ -608,12 +632,15 @@ Same as Disabled. Hide the Firewall and network protection area in Windows Security. Enabled: + The Firewall and network protection area will be hidden. Disabled: + The Firewall and network protection area will be shown. Not configured: + Same as Disabled. @@ -680,12 +707,15 @@ Same as Disabled. Hide notifications from Windows Security. Enabled: + Local users won't see notifications from Windows Security. Disabled: + Local users can see notifications from Windows Security. Not configured: + Same as Disabled. @@ -752,12 +782,15 @@ Same as Disabled. Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. Enabled: + Users won't be shown a recommendation to update their TPM Firmware. Disabled: + Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. Not configured: + Same as Disabled. @@ -824,12 +857,15 @@ Same as Disabled. Hide the Virus and threat protection area in Windows Security. Enabled: + The Virus and threat protection area will be hidden. Disabled: + The Virus and threat protection area will be shown. Not configured: + Same as Disabled. @@ -896,12 +932,15 @@ Same as Disabled. Prevent users from making changes to the Exploit protection settings area in Windows Security. Enabled: + Local users can't make changes in the Exploit protection settings area. Disabled: + Local users are allowed to make changes in the Exploit protection settings area. Not configured: + Same as Disabled. @@ -970,12 +1009,15 @@ Specify the email address or email ID that will be displayed in Windows Security Users can click on the contact information to create an email that will be sent to the specified address. The default email application will be used. Enabled: + Enter the email address or email ID in the Options section. Disabled: + A contact email address or email ID won't be shown in either Windows Security or any notifications it creates. Not configured: + Same as Disabled. @@ -1032,19 +1074,23 @@ Same as Disabled. Display specified contact information to local users in Windows Security notifications. Enabled: + Your company contact information will be displayed in notifications that come from Windows Security. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID --Specify contact website +-Specify contact website. + Please note that in some cases we will be limiting the contact options that are displayed based on the notification space available. Disabled: + No contact information will be shown on notifications. Not configured: + Same as Disabled. @@ -1108,21 +1154,24 @@ Same as Disabled. -Display specified contact information to local users in a contact card flyout menu in Windows Security +Display specified contact information to local users in a contact card flyout menu in Windows Security. Enabled: + Your company contact information will be displayed in a flyout menu in Windows Security. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID --Specify contact website +-Specify contact website. Disabled: + No contact information will be shown in Windows Security. Not configured: + Same as Disabled. @@ -1189,12 +1238,15 @@ Same as Disabled. Hide the Ransomware data recovery area in Windows Security. Enabled: + The Ransomware data recovery area will be hidden. Disabled: + The Ransomware data recovery area will be shown. Not configured: + Same as Disabled. @@ -1261,12 +1313,15 @@ Same as Disabled. Hide the Secure boot area in Windows Security. Enabled: + The Secure boot area will be hidden. Disabled: + The Secure boot area will be shown. Not configured: + Same as Disabled. @@ -1333,12 +1388,15 @@ Same as Disabled. Hide the Security processor (TPM) troubleshooting area in Windows Security. Enabled: + The Security processor (TPM) troubleshooting area will be hidden. Disabled: + The Security processor (TPM) troubleshooting area will be shown. Not configured: + Same as Disabled. @@ -1407,12 +1465,15 @@ This policy setting hides the Windows Security notification area control. The user needs to either sign out and sign in or reboot the computer for this setting to take effect. Enabled: + Windows Security notification area control will be hidden. Disabled: + Windows Security notification area control will be shown. Not configured: + Same as Disabled. @@ -1481,12 +1542,15 @@ Specify the phone number or Skype ID that will be displayed in Windows Security Users can click on the contact information to automatically call the supplied number. Skype will be used to initiate the call. Enabled: + Enter the phone number or Skype ID in the Options section. Disabled: + A contact phone number or Skype ID won't be shown in either Windows Security or any notifications it creates. Not configured: + Same as Disabled. @@ -1545,12 +1609,15 @@ Specify the URL that will be displayed in Windows Security and associated notifi Users can click on the contact information to visit the specified website. The default web browser will be used. Enabled: + Enter the URL in the Options section. Disabled: + A contact website URL won't be shown in either Windows Security or any notifications it creates. Not configured: + Same as Disabled. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index beb275034b..544703e41a 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,7 +45,7 @@ This policy setting controls whether a device will automatically sign in and loc This only occurs if the last interactive user didn't sign out before the restart or shutdown. -If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns. +If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns. - If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. @@ -111,10 +111,11 @@ This policy setting controls the configuration under which an automatic restart - If you enable this policy setting, you can choose one of the following two options: 1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. + BitLocker is suspended during updates if: - - The device doesn't have TPM 2.0 and PCR7, or - - The device doesn't use a TPM-only protector +- The device doesn't have TPM 2.0 and PCR7, or +- The device doesn't use a TPM-only protector. 2. "Always Enabled" specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 43baed45d4..b885c37d1a 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsPowerShell Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,13 +45,11 @@ ms.topic: reference This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. -- If you enable this policy setting, -Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. +- If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. - If you disable this policy setting, logging of PowerShell script input is disabled. -If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script -starts or stops. Enabling Invocation Logging generates a high volume of event logs. +If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. > [!NOTE] > This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 0992815e7c..a3256eec79 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -870,8 +870,9 @@ Returns the type of App/Id. This value can be either of the following: PackageFa -False: Don't Bypass for Local traffic -True: ByPass VPN Interface for Local Traffic +False: Don't Bypass for Local traffic. + +True: ByPass VPN Interface for Local Traffic. Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. @@ -1216,9 +1217,13 @@ Comma Separated list of Issuer Hashes for the VPN Client to look for the correct If turned on a device tunnel profile does four things. + First, it automatically becomes an always on profile. + Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect. + Third, no other Device Tunnel profile maybe be present on the same machine. + A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. @@ -3101,7 +3106,7 @@ Type of routing policy. -Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. @@ -4163,6 +4168,7 @@ Specifies a rule in Security Descriptor Definition Language (SDDL) format to che Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. + Inbound - The traffic filter allows traffic coming from external locations matching this rule. @@ -5148,8 +5154,9 @@ Returns the type of App/Id. This value can be either of the following: PackageFa -False: Don't Bypass for Local traffic -True: ByPass VPN Interface for Local Traffic +False: Don't Bypass for Local traffic. + +True: ByPass VPN Interface for Local Traffic. Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. @@ -7326,7 +7333,7 @@ Type of routing policy. -Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. @@ -7907,6 +7914,7 @@ Boolean value (true or false) for caching credentials. Applicable only to AppContainer profiles. False: Don't show profile in Settings UI. + True: Show profile in Settings UI. Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method). @@ -8432,6 +8440,7 @@ Specifies a rule in Security Descriptor Definition Language (SDDL) format to che Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. + Inbound - The traffic filter allows traffic coming from external locations matching this rule. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 84e529b875..c2f8aa8687 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -4,7 +4,7 @@ description: Learn more about the WiFi CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -383,6 +383,7 @@ Optional node. If the policy is active selecting one of the values from the foll XML describing the network configuration and follows Windows WLAN_profile schema. + Link to schema: @@ -741,6 +742,7 @@ Optional node. If the policy is active selecting one of the values from the foll XML describing the network configuration and follows Windows WLAN_profile schema. + Link to schema: diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 5dcfb1a7ce..54a396d94f 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsDefenderApplicationGuard CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 05/11/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -291,6 +291,7 @@ Interior Node for Settings. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device's camera and microphone when these settings are enabled on the user's device. - If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user's device. + - If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user's device. @@ -611,6 +612,7 @@ This policy setting allows you to decide whether websites can load non-enterpris This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. - If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924. + - If you disable or don't configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.