diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index b34bc4709f..16889b4db0 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -21,6 +21,9 @@ ms.topic: reference > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. @@ -40,6 +43,7 @@ The following list shows the BitLocker configuration service provider nodes: - ./Device/Vendor/MSFT/BitLocker - [AllowStandardUserEncryption](#allowstandarduserencryption) + - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection) - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation) - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) @@ -149,6 +153,63 @@ To disable this policy, use the following SyncML: + +## AllowSuspensionOfBitLockerProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection +``` + + + + +This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + +> [!WARNING] +> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + +The expected values for this policy are: + +0 = Prevent BitLocker Drive Encryption protection from being suspended. +1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevent BitLocker Drive Encryption protection from being suspended. | +| 1 (Default) | This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. | + + + + + + + + ## AllowWarningForOtherDiskEncryption diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 206cf3acd1..a5b1dd75f5 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -772,6 +772,52 @@ Supported Values: String form of request ID. Example format of request ID is GUI + + AllowSuspensionOfBitLockerProtection + + + + + + + + 1 + This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + The format is integer. + The expected values for this policy are: + + 0 = Prevent BitLocker Drive Encryption protection from being suspended. + 1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + 0 + Prevent BitLocker Drive Encryption protection from being suspended. + + + 1 + This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + Status diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 7550924275..9ec146c353 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Defender CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -63,6 +63,7 @@ The following list shows the Defender configuration service provider nodes: - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers) - [IntelTDTEnabled](#configurationinteltdtenabled) - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) + - [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate) - [PassiveRemediation](#configurationpassiveremediation) - [PlatformUpdatesChannel](#configurationplatformupdateschannel) - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) @@ -1808,6 +1809,55 @@ Allow managed devices to update through metered connections. Default is 0 - not + +### Configuration/OobeEnableRtpAndSigUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate +``` + + + + +This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. | +| 0 (Default) | If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. | + + + + + + + + ### Configuration/PassiveRemediation @@ -2481,7 +2531,7 @@ Information about the current status of the threat. The following list shows the | 7 | Removed | | 8 | Cleaned | | 9 | Allowed | -| 10 | No Status (Cleared) | +| 10 | No Status ( Cleared) | @@ -3676,7 +3726,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher -RollbackEngine action rolls back Microsoft Defender engine to its last known good saved version on the computer where you run the command. +RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 4a653a572d..09e0cb692e 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1920,6 +1920,45 @@ The following XML file contains the device description framework (DDF) for the D + + OobeEnableRtpAndSigUpdate + + + + + + + + 0 + This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. + + + 0 + If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. + + + + ThrottleForScheduledScanOnly diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md index e32d2c6c9a..a6be4ec54b 100644 --- a/windows/client-management/mdm/devicepreparation-csp.md +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,6 +31,7 @@ The following list shows the DevicePreparation configuration service provider no - [ClassID](#bootstrapperagentclassid) - [ExecutionContext](#bootstrapperagentexecutioncontext) - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri) + - [MdmAgentInstalled](#mdmagentinstalled) - [MDMProvider](#mdmprovider) - [Progress](#mdmproviderprogress) - [PageEnabled](#pageenabled) @@ -194,6 +195,46 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age + +## MdmAgentInstalled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled +``` + + + + +This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + + + + + + ## MDMProvider diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index c2a8a4aa4e..9d1713e298 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -286,6 +286,29 @@ The following XML file contains the device description framework (DDF) for the D + + MdmAgentInstalled + + + + + + false + This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + + + + + + + + ``` diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index bdae4f4a67..ff2a647808 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,6 +16,9 @@ ms.topic: reference # DMClient CSP +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment. @@ -37,6 +40,10 @@ The following list shows the DMClient configuration service provider nodes: - [Lock](#deviceproviderprovideridconfiglocklock) - [SecureCore](#deviceproviderprovideridconfiglocksecurecore) - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration) + - [ConfigRefresh](#deviceproviderprovideridconfigrefresh) + - [Cadence](#deviceproviderprovideridconfigrefreshcadence) + - [Enabled](#deviceproviderprovideridconfigrefreshenabled) + - [PausePeriod](#deviceproviderprovideridconfigrefreshpauseperiod) - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage) - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext) - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref) @@ -624,6 +631,176 @@ This node, when it is set, tells the client to set how many minutes the device s + +#### Device/Provider/{ProviderID}/ConfigRefresh + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh +``` + + + + +Parent node for ConfigRefresh nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Cadence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence +``` + + + + +This node determines the number of minutes between refreshes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[30-1440]` | +| Default Value | 90 | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Enabled +``` + + + + +This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | ConfigRefresh is enabled. | +| false (Default) | ConfigRefresh is disabled. | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod +``` + + + + +This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1440]` | +| Default Value | 0 | + + + + + + + + #### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index b5ef6feff0..4de7f3bf11 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2947,6 +2947,125 @@ The following XML file contains the device description framework (DDF) for the D + + ConfigRefresh + + + + + + + Parent node for ConfigRefresh nodes + + + + + + + + + + + + + + 99.9.99999 + 1.6 + + + + Enabled + + + + + + + + false + This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + + + + + + + + + true + ConfigRefresh is enabled. + + + false + ConfigRefresh is disabled. + + + LastWrite + + + + Cadence + + + + + + + + 90 + This node determines the number of minutes between refreshes. + + + + + + + + + + + + + + [30-1440] + + + + + PausePeriod + + + + + + + + 0 + This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + + + + + + + + [0-1440] + + + + diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 726ff88fb1..9d5ec3342a 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -4,7 +4,7 @@ description: Learn more about the EnterpriseModernAppManagement CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # EnterpriseModernAppManagement CSP + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../enterprise-app-management.md). > [!NOTE] @@ -273,6 +274,7 @@ Used to perform app installation. + This is a required node. @@ -312,6 +314,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + This is an optional node. > [!NOTE] @@ -329,6 +332,7 @@ This is an optional node. + **Example**: Here's an example for uninstalling an app: @@ -374,6 +378,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -424,6 +429,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -464,6 +470,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -504,6 +511,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -544,6 +552,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -662,6 +671,7 @@ Used to manage licenses for store apps. + This is a required node. @@ -701,6 +711,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -741,6 +752,7 @@ Command to add license. + This is a required node. @@ -780,6 +792,7 @@ Command to get license from the store. + This is a required node. @@ -936,6 +949,7 @@ Used for inventory and app management (post-install). + This is a required node. @@ -975,6 +989,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -1016,6 +1031,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -1057,6 +1073,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -1070,6 +1087,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -1108,6 +1126,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -1147,6 +1166,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -1162,6 +1182,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -1247,6 +1268,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1287,6 +1309,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -1326,6 +1349,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1405,6 +1429,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -1484,6 +1509,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -1562,6 +1588,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -1641,6 +1668,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -1683,6 +1711,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -1723,6 +1752,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -1806,6 +1836,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -1854,6 +1885,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -1909,6 +1941,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -1931,6 +1964,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -2019,6 +2053,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -2294,6 +2329,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -2332,6 +2368,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -2371,6 +2408,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -2386,6 +2424,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -2471,6 +2510,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2511,6 +2551,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -2550,6 +2591,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2629,6 +2671,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -2708,6 +2751,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -2786,6 +2830,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -2865,6 +2910,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -2907,6 +2953,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -2947,6 +2994,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -3030,6 +3078,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -3078,6 +3127,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -3133,6 +3183,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -3155,6 +3206,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -3555,6 +3607,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -3594,6 +3647,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -3675,6 +3729,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3715,6 +3770,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -3754,6 +3810,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3833,6 +3890,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -3912,6 +3970,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -3990,6 +4049,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -4069,6 +4129,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -4111,6 +4172,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -4151,6 +4213,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -4766,6 +4829,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -4814,6 +4878,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -4869,6 +4934,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -4891,6 +4957,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -5253,6 +5320,7 @@ Used to start the Windows Update scan. + This is a required node. @@ -5331,6 +5399,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -5346,6 +5415,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -5391,6 +5461,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -5441,6 +5512,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5481,6 +5553,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5521,6 +5594,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -5561,6 +5635,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -5718,6 +5793,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -5758,6 +5834,7 @@ Command to add license. + This is a required node. @@ -5797,6 +5874,7 @@ Command to get license from the store. + This is a required node. @@ -5992,6 +6070,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -6031,6 +6110,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -6072,6 +6152,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -6085,6 +6166,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -6123,6 +6205,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -6162,6 +6245,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -6177,6 +6261,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -6262,6 +6347,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6302,6 +6388,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -6341,6 +6428,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6420,6 +6508,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -6499,6 +6588,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -6577,6 +6667,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -6656,6 +6747,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -6698,6 +6790,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -6738,6 +6831,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -6821,6 +6915,7 @@ Interior node for all managed app setting values. + > [!NOTE] > This node is only supported in the user context. @@ -6861,6 +6956,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -6875,6 +6971,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -6933,6 +7030,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -6981,6 +7079,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). |Applicability Setting |CSP state |Result | @@ -7036,6 +7135,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -7311,6 +7411,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -7349,6 +7450,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -7388,6 +7490,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -7403,6 +7506,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + ```xml @@ -7484,6 +7588,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7524,6 +7629,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -7563,6 +7669,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7642,6 +7749,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -7721,6 +7829,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. @@ -7801,6 +7910,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -7880,6 +7990,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -7922,6 +8033,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -7962,6 +8074,7 @@ Registered users of the app and the package install state. If the query is at th + Requried. - Not Installed = 0 @@ -8045,6 +8158,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -8084,6 +8198,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -8098,6 +8213,7 @@ This setting only works for apps that support the feature and it's only supporte + The following example sets the value for the 'Server' ```xml @@ -8154,6 +8270,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -8202,6 +8319,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -8531,6 +8649,7 @@ Used to remove packages. + Parameters: - Package @@ -8551,6 +8670,7 @@ Parameters: + **Example**: The following example removes a package for all users: @@ -8632,6 +8752,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -8671,6 +8792,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -8686,6 +8808,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: ```xml @@ -8769,6 +8892,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8809,6 +8933,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -8848,6 +8973,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8927,6 +9053,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -9006,6 +9133,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -9084,6 +9212,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -9163,6 +9292,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -9205,6 +9335,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -9245,6 +9376,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -9328,6 +9460,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -9367,6 +9500,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -9381,6 +9515,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -9439,6 +9574,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -9487,6 +9623,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -9816,6 +9953,7 @@ Used to start the Windows Update scan. + This is a required node. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index c5b31e1372..dd6206ae17 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,9 +16,6 @@ ms.topic: reference # Firewall CSP -> [!IMPORTANT] -> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. - The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. @@ -99,11 +96,11 @@ The following list shows the Firewall configuration service provider nodes: - [HyperVFirewallRules](#mdmstorehypervfirewallrules) - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename) - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction) - - [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype) - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection) - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled) - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges) - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges) + - [Name](#mdmstorehypervfirewallrulesfirewallrulenamename) - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority) - [Profiles](#mdmstorehypervfirewallrulesfirewallrulenameprofiles) - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol) @@ -111,12 +108,6 @@ The following list shows the Firewall configuration service provider nodes: - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges) - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus) - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid) - - [HyperVLoopbackRules](#mdmstorehypervloopbackrules) - - [{RuleName}](#mdmstorehypervloopbackrulesrulename) - - [DestinationVMCreatorId](#mdmstorehypervloopbackrulesrulenamedestinationvmcreatorid) - - [Enabled](#mdmstorehypervloopbackrulesrulenameenabled) - - [PortRanges](#mdmstorehypervloopbackrulesrulenameportranges) - - [SourceVMCreatorId](#mdmstorehypervloopbackrulesrulenamesourcevmcreatorid) - [HyperVVMSettings](#mdmstorehypervvmsettings) - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid) - [AllowHostPolicyMerge](#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge) @@ -1791,7 +1782,7 @@ Specifies the description of the rule. -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -1935,7 +1926,7 @@ If not specified - a new rule is disabled by default. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -2087,6 +2078,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -2166,7 +2158,8 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - + +Specifies the friendly name of the firewall rule. @@ -2194,7 +2187,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 22H2 [10.0.19045.2913] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1880] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1635] and later | @@ -2205,7 +2198,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. -Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". +Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -2431,6 +2424,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -3122,7 +3116,9 @@ Unique alpha numeric identifier for the rule. The rule name must not include a f -Specifies the action for the rule. +Specifies the action the rule enforces: +0 - Block +1 - Allow. @@ -3132,68 +3128,27 @@ Specifies the action for the rule. **Description framework properties**: -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type -``` - - - - -Specifies the action the rule enforces: -0 - Block -1 - Allow. - - - - - - - -**Description framework properties**: - | Property name | Property value | |:--|:--| | Format | int | | Access Type | Get, Replace | | Default Value | 1 | - + - + **Allowed values**: | Value | Description | |:--|:--| | 0 | Block. | | 1 (Default) | Allow. | - + - + - + - + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction @@ -3212,7 +3167,7 @@ Specifies the action the rule enforces: -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -3385,6 +3340,45 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name +``` + + + + +Specifies the friendly name of the Hyper-V Firewall rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority @@ -3402,7 +3396,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the -0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. +This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -3416,7 +3410,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-255]` | +| Allowed Values | Range: `[0-65535]` | @@ -3679,255 +3673,6 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G - -### MdmStore/HyperVLoopbackRules - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules -``` - - - - -A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -#### MdmStore/HyperVLoopbackRules/{RuleName} - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName} -``` - - - - -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Add, Delete, Get, Replace | -| Atomic Required | True | -| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | -| Allowed Values | Regular Expression: `^[^|/]*$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/Enabled - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/Enabled -``` - - - - -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | bool | -| Access Type | Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disabled. | -| 1 | Enabled. | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges -``` - - - - -Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `^[0-9,-]+$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - ### MdmStore/HyperVVMSettings @@ -4026,7 +3771,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID. -This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. +This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -4075,7 +3820,7 @@ This value is used as an on/off switch. If this value is true, applicable host f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4125,7 +3870,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4213,7 +3958,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4263,7 +4008,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4313,7 +4058,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4363,7 +4108,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4412,7 +4157,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4434,8 +4179,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | @@ -4548,7 +4293,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4598,7 +4343,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4648,7 +4393,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4698,7 +4443,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4785,7 +4530,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4835,7 +4580,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4885,7 +4630,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4935,7 +4680,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4957,8 +4702,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 4eb6ee5f96..6fd0b6982d 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2871,11 +2871,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2918,7 +2918,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2964,7 +2964,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3012,7 +3012,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. + This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -3063,7 +3063,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3096,7 +3096,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3126,7 +3126,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3142,7 +3142,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3172,7 +3172,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3187,7 +3187,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3217,7 +3217,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3252,7 +3252,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3285,7 +3285,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3315,7 +3315,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3331,7 +3331,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3361,7 +3361,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3376,7 +3376,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3406,7 +3406,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3441,7 +3441,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3457,11 +3457,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -3474,7 +3474,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3504,7 +3504,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3520,7 +3520,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3550,7 +3550,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3565,7 +3565,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3595,7 +3595,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3818,7 +3818,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3846,7 +3849,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3878,6 +3884,8 @@ ServiceName String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma. To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code. The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid. + + When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP). @@ -3892,7 +3900,7 @@ ServiceName - 10.0.19043 + 10.0.20348 1.0 @@ -3909,7 +3917,7 @@ ServiceName - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4172,7 +4180,7 @@ If not specified - a new rule is disabled by default. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4328,7 +4336,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". + Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -4342,7 +4350,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 99.9.99999 + 10.0.19045.2913, 10.0.22621.1635, 10.0.22000.1880 1.1 @@ -4380,6 +4388,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. + Specifies the friendly name of the firewall rule. @@ -4457,7 +4466,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. + This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -4471,7 +4480,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - [0-255] + [0-65535] @@ -4483,7 +4492,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4577,7 +4586,7 @@ If not specified the detault is OUT. - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4695,10 +4704,14 @@ An IPv6 address range in the format of "start address - end address" with no spa + - Specifies the action for the rule. + 1 + Specifies the action the rule enforces: +0 - Block +1 - Allow - + @@ -4707,44 +4720,19 @@ An IPv6 address range in the format of "start address - end address" with no spa - + + + + 0 + Block + + + 1 + Allow + + - - Type - - - - - - 1 - Specifies the action the rule enforces: -0 - Block -1 - Allow - - - - - - - - - - - - - - - 0 - Block - - - 1 - Allow - - - - Enabled @@ -4785,7 +4773,7 @@ If not specified - a new rule is disabled by default. - Provides information about the specific verrsion of the rule in deployment for monitoring purposes. + Provides information about the specific version of the rule in deployment for monitoring purposes. @@ -4840,62 +4828,8 @@ If not specified - a new rule is disabled by default. - - - - HyperVLoopbackRules - - - - - A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - - - - - - - - - - - - - - - - - - Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - - - - RuleName - - - - - - - - ^[^|/]*$ - - - - SourceVMCreatorId + Name @@ -4903,12 +4837,12 @@ If not specified - a new rule is disabled by default. - This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. + Specifies the friendly name of the Hyper-V Firewall rule. - + @@ -4916,96 +4850,6 @@ If not specified - a new rule is disabled by default. - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - DestinationVMCreatorId - - - - - - - - This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - - - - - - - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - PortRanges - - - - - - - - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - - - - - - - - ^[0-9,-]+$ - - - - - - Enabled - - - - - - Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - - - - - - - - - 0 - Disabled - - - 1 - Enabled - - diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 79728405bf..e172fe94a5 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -445,7 +445,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of digits in PIN. | -| 1 | Requires the use of at least one digit in PIN. | +| 1 | Requires the use of at least one digits in PIN. | | 2 | Does not allow the use of digits in PIN. | @@ -583,7 +583,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of lowercase letters in PIN. | -| 1 | Requires the use of at least one lowercase letter in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | | 2 | Does not allow the use of lowercase letters in PIN. | @@ -706,7 +706,7 @@ Minimum PIN length configures the minimum number of characters required for the -Use this policy setting to configure the use of special character in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . +Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. @@ -791,7 +791,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of uppercase letters in PIN. | -| 1 | Requires the use of at least one uppercase letter in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | | 2 | Does not allow the use of uppercase letters in PIN. | @@ -2027,7 +2027,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of digits in PIN. | -| 1 | Requires the use of at least one digit in PIN. | +| 1 | Requires the use of at least one digits in PIN. | | 2 | Does not allow the use of digits in PIN. | @@ -2165,7 +2165,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of lowercase letters in PIN. | -| 1 | Requires the use of at least one lowercase letter in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | | 2 | Does not allow the use of lowercase letters in PIN. | @@ -2317,7 +2317,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of special characters in PIN. | -| 1 | Requires the use of at least one special character in PIN. | +| 1 | Requires the use of at least one special characters in PIN. | | 2 | Does not allow the use of special characters in PIN. | @@ -2373,7 +2373,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of uppercase letters in PIN. | -| 1 | Requires the use of at least one uppercase letter in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | | 2 | Does not allow the use of uppercase letters in PIN. | diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index b5425cab46..1d5d233812 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -83,128 +83,6 @@ The following XML file contains the device description framework (DDF) for the P - - ProtectFolders - - - - - - - - - - - - - - - - - - - ProtectDocuments - - - - - - - - Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectDesktop - - - - - - - - Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectPictures - - - - - - - - Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - Status @@ -245,66 +123,6 @@ The following XML file contains the device description framework (DDF) for the P - - FolderProtectionStatus - - - - - This node reports folder protection status for a user. - - - - - - - - - - - - - - - 0 - Protection not started. - - - 1 - Protection is completed with no failures. - - - 2 - Protection in progress. - - - 3 - Protection failed. - - - - - - FoldersProtected - - - - - This node reports all folders (full path to each folder) that have been protected. - - - - - - - - - - - - - - diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 08332c2601..404381b85a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 6aba70d787..f9aa11914a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -340,9 +340,6 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [ClearTextPassword](policy-csp-devicelock.md) - [PasswordComplexity](policy-csp-devicelock.md) - [PasswordHistorySize](policy-csp-devicelock.md) -- [AccountLockoutThreshold](policy-csp-devicelock.md) -- [AccountLockoutDuration](policy-csp-devicelock.md) -- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md) - [AllowAdministratorLockout](policy-csp-devicelock.md) ## Display @@ -689,7 +686,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) - [DisableControlCenter](policy-csp-start.md) - [ForceStartSize](policy-csp-start.md) @@ -700,7 +697,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [SimplifyQuickSettings](policy-csp-start.md) - [DisableEditingQuickSettings](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) @@ -884,7 +881,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [DenyLogOnAsBatchJob](policy-csp-userrights.md) - [LogOnAsService](policy-csp-userrights.md) - [IncreaseProcessWorkingSet](policy-csp-userrights.md) -- [DenyServiceLogonRight](policy-csp-userrights.md) +- [DenyLogOnAsService](policy-csp-userrights.md) ## VirtualizationBasedTechnology @@ -897,7 +894,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [NotifyMalicious](policy-csp-webthreatdefense.md) - [NotifyPasswordReuse](policy-csp-webthreatdefense.md) - [NotifyUnsafeApp](policy-csp-webthreatdefense.md) -- [CaptureThreatWindow](policy-csp-webthreatdefense.md) +- [AutomaticDataCollection](policy-csp-webthreatdefense.md) ## Wifi diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index e17a1d7e53..4be961a69f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -257,6 +257,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac ## Start +- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites) - [StartLayout](policy-csp-start.md#startlayout) ## System diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1eba8fd662..1fc1424bc4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4,7 +4,7 @@ description: Learn more about the Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index fbc5c518ac..5c5b42532a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 0b01016c5f..19a5889d94 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 04/14/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -843,7 +843,7 @@ Volume: Low. -This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697). +This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697). diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 1f26de308e..8643e7282a 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/27/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1885,8 +1885,8 @@ Same as Disabled. - -This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. @@ -1939,8 +1939,8 @@ This policy setting allows you specify a list of file types that should be exclu - -This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. @@ -1993,8 +1993,11 @@ This policy setting allows you to disable scheduled and real-time scanning for f - -This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index b65b65b1e4..c86a89adff 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -347,7 +347,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 69a26fb46f..80e5d67f50 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -30,105 +30,44 @@ ms.topic: reference > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). - -## AccountLockoutDuration + +## AccountLockoutPolicy - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutDuration +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy ``` - + - + -Account lockout duration This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - +Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| -| Format | int | +| Format | chr (string) | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-99999]` | -| Default Value | 0 | - + - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout duration | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - + - + - - - -## AccountLockoutThreshold - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutThreshold -``` - - - - -Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-10]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout threshold | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - + ## AllowAdministratorLockout @@ -162,7 +101,7 @@ Allow Administrator account lockout This security setting determines whether the | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-1]` | -| Default Value | 0 | +| Default Value | 1 | @@ -1165,11 +1104,11 @@ Complexity requirements are enforced when passwords are changed or created. -Minimum password length -This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. +Enforce password history +This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Default: 24 on domain controllers. 0 on stand-alone servers. > [!NOTE] -> By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. +> By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age. @@ -1184,7 +1123,7 @@ This security setting determines the least number of characters that a password | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-24]` | -| Default Value | 7 | +| Default Value | 24 | @@ -1192,7 +1131,7 @@ This security setting determines the least number of characters that a password | Name | Value | |:--|:--| -| Name | Minimum password length | +| Name | Enforce password history | | Path | Windows Settings > Security Settings > Account Policies > Password Policy | @@ -1322,56 +1261,6 @@ If you enable this setting, users will no longer be able to modify slide show se - -## ResetAccountLockoutCounterAfter - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/ResetAccountLockoutCounterAfter -``` - - - - -Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[1-99999]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Reset account lockout counter after | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - - ## ScreenTimeoutWhileLocked diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 92fda2c42a..d8938e641c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1428,7 +1428,7 @@ This policy allows the user to go directly to an intranet site for a one-word en | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -2080,7 +2080,7 @@ This policy setting allows you to manage whether Internet Explorer checks for di | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -3403,7 +3403,7 @@ The Home page specified on the General tab of the Internet Options dialog box is | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -3599,7 +3599,7 @@ InPrivate Browsing prevents Internet Explorer from storing data about a user's b | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -4486,7 +4486,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | @@ -4552,7 +4552,7 @@ For more information, see | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -7968,7 +7968,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -13390,7 +13390,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -16537,7 +16537,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 870386a6e5..16587b8ce0 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -242,7 +242,6 @@ This policy setting controls hash or checksum algorithms used by the Kerberos cl - "Not Supported" disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. - If you disable or do not configure this policy, each algorithm will assume the "Default" state. -More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at< https://go.microsoft.com/fwlink/?linkid=2169037>. Events generated by this configuration: 205, 206, 207, 208. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 6f83800c56..ad926281b0 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -86,7 +86,7 @@ Steps to use this policy correctly: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -136,7 +136,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -188,7 +188,7 @@ For more information on the Launcher API, see [Launcher Class (Windows.System) - | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -335,7 +335,7 @@ This policy setting controls if pressing the brightness button changes the brigh | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -386,7 +386,7 @@ For more information, see [Moving platform mode on low dynamic motion moving pla | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -491,7 +491,7 @@ The following XML string is an example of the value for this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -687,7 +687,7 @@ This policy configures behavior of HUP to determine, which algorithm to use for | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -786,7 +786,7 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -856,7 +856,7 @@ The following example XML string shows the value to enable this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -907,7 +907,7 @@ This policy configures whether the device will take the user through the eye tra | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -957,7 +957,7 @@ It skips the training experience of interactions with the hummingbird and Start | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index f4fa8a6e6a..507250a860 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2930,7 +2930,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -2990,7 +2990,7 @@ This policy setting specifies whether Windows apps can access the human presence | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3040,7 +3040,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3090,7 +3090,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 19a927a634..040fb1fed2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1424,6 +1424,68 @@ To validate this policy, do the following steps: + +## HideRecommendedPersonalizedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + + + + +This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Personalized Website Recommendations shown. | +| 1 | Personalized Website Recommendations hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecommendedPersonalizedSites | +| Path | StartMenu > AT > StartMenu | + + + + + + + + ## HideRecommendedSection @@ -1493,68 +1555,6 @@ If you enable this policy setting, the Start Menu will no longer show the sectio - -## HideRecoPersonalizedSites - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | - - - -```User -./User/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - - - - -This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Personalized Website Recommendations shown. | -| 1 | Personalized Website Recommendations hidden. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | HideRecoPersonalizedSites | -| Path | StartMenu > AT > StartMenu | - - - - - - - - ## HideRestart diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md index c977508f6e..d57c186ddb 100644 --- a/windows/client-management/mdm/policy-csp-stickers.md +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -4,7 +4,7 @@ description: Learn more about the Stickers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -26,7 +26,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index babefd000e..96f488a077 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -4,7 +4,7 @@ description: Learn more about the TenantRestrictions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 4d0a66c573..7832fbfb73 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -4,7 +4,7 @@ description: Learn more about the TextInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -949,7 +949,7 @@ This Policy setting applies only to Microsoft Traditional Chinese IME. -This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. This policy corresponds to Show the touch keyboard when not in tablet mode and there's no keyboard attached in the Settings app. +This policy allows the IT admin to control whether the touch keyboard should show up on tapping an edit control. By default, when you tap a textbox, the touch keyboard automatically shows up when there's no keyboard attached. When this policy is enabled, the touch keyboard can be shown or suppressed regardless of the hardware keyboard availability. This policy corresponds to Show the touch keyboard setting in the Settings app. @@ -971,8 +971,9 @@ This policy allows the IT admin to enable the touch keyboard to automatically sh | Value | Description | |:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | +| 0 (Default) | Never. | +| 1 | When no keyboard attached. | +| 2 | Always. | diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 8bf785ab2e..a5d3afb700 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -826,12 +826,8 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you - -Enable this policy to specify when to receive Feature Updates. - -Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo - -Pause Updates | To prevent Feature Updates from being offered to the device, you can temporarily pause Feature Updates. This pause will remain in effect for 35 days from the specified start date or until the field is cleared. Note, Quality Updates will still be offered even if Feature Updates are paused. + +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -955,16 +951,8 @@ If you disable or do not configure this policy, Windows Update will not alter it - -Enable this policy to specify when to receive quality updates. - -You can defer receiving quality updates for up to 30 days. - -To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clear the start date field. - -To resume receiving Quality Updates which are paused, clear the start date field. - -If you disable or do not configure this policy, Windows Update will not alter its behavior. + +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -2143,9 +2131,9 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie | Value | Description | |:--|:--| -| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | -| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. | -| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. | +| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | +| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. | +| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. | | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | | 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. | | 5 | Turn off automatic updates. | @@ -3551,7 +3539,7 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie -This setting allows removal access to "Pause updates" feature. +This setting allows to remove access to "Pause updates" feature. Once enabled user access to pause updates is removed. @@ -4311,7 +4299,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4381,7 +4369,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4451,7 +4439,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4521,7 +4509,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 113eac5d6c..d901a34a02 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -980,6 +980,58 @@ This security setting determines which accounts are prevented from being able to + +## DenyLogOnAsService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLogOnAsService +``` + + + + +Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. + +> [!NOTE] +> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Deny log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + ## DenyRemoteDesktopServicesLogOn @@ -1029,58 +1081,6 @@ This user right determines which users and groups are prohibited from logging on - -## DenyServiceLogonRight - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/UserRights/DenyServiceLogonRight -``` - - - - -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. - -> [!NOTE] -> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | List (Delimiter: `0xF000`) | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Deny log on as a service | -| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | - - - - - - - - ## EnableDelegation diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index 3f32d7c225..d92837b542 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -25,63 +25,63 @@ ms.topic: reference > In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category. - -## CaptureThreatWindow + +## AutomaticDataCollection - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/CaptureThreatWindow +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection ``` - + - + -Configures Enhanced Phishing Protection notifications to allow to capture the suspicious window on client machines for further threat analysis. - +Automatically collect website or app content when additional analysis is needed to help identify security threats. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - +| Default Value | 0 | + - + **Allowed values**: | Value | Description | |:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | - +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | CaptureThreatWindow | +| Name | AutomaticDataCollection | | Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense | - + - + - + - + ## NotifyMalicious diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5eb3b2dd3e..e538a7928c 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -4,7 +4,7 @@ description: Learn more about the Wifi Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -228,6 +228,105 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. + +## AllowWFAQosManagementDSCPToUPMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementDSCPToUPMapping +``` + + + + +Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-Fi Alliance QOS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | DSCP to UP Mapping will be disabled. | +| 1 | DSCP to UP Mapping will be enabled. | +| 2 (Default) | DSCP to UP Mapping will be enabled only if it is enabled in the network profile. | + + + + + + + + + +## AllowWFAQosManagementMSCS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementMSCS +``` + + + + +Allow or disallow the device to automatically request to enable Mirrored Stream Classification Service when connecting to a MSCS capable network. This is a Quality of Service feature associated with Wi-Fi Alliance QoS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device will not automatically request to enable MSCS when connecting to a MSCS capable network. | +| 1 (Default) | The device will automatically request to enable MSCS when connecting to a MSCS capable network. | + + + + + + + + ## AllowWiFi @@ -245,7 +344,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. -This policy has been deprecated. +Allow or disallow WiFi connection. diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 04eabb0246..32c31c0461 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Reboot CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -194,7 +194,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 98866efffa..7771d079d3 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -170,6 +170,10 @@ The following XML file contains the device description framework (DDF) for the R + + 10.0.22621 + 1.0 + diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 7594de5981..ddfda20a6b 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -4,7 +4,7 @@ description: Learn more about the SUPL CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # SUPL CSP + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -395,6 +396,7 @@ This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether t + | Location toggle setting | LocMasterSwitchDependencyNII setting | NI request processing allowed | |-------------------------|--------------------------------------|------------------------------------| | On | 0 | Yes | diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 16e2b4acd8..5437172618 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -50,102 +50,6 @@ The following XML file contains the device description framework (DDF) for the S 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; - - AutopilotSelfdeploy - - - - - Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time. - - - - - - - - - - - - - - - - - - UserPrincipalName - - - - - - User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - - Password - - - - - - Password for the device account. Get is allowed here, but will always return a blank. - - - - - - - - - - - - - - - - - - FriendlyName - - - - - - The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - DeviceAccount diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ce9204701c..84b7a6c4ec 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2838,7 +2838,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2876,7 +2876,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2915,7 +2915,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2953,7 +2953,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -3003,7 +3003,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7063,7 +7063,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7101,7 +7101,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7140,7 +7140,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7178,7 +7178,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7228,7 +7228,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7893,7 +7893,7 @@ Boolean value (true or false) for caching credentials. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.19628] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.19628] and later | diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index da4d51d70b..8c55c2fd8e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -28,12 +28,10 @@ The following list shows the WindowsLicensing configuration service provider nod - [ChangeProductKey](#changeproductkey) - [CheckApplicability](#checkapplicability) - [DeviceLicensingService](#devicelicensingservice) - - [AcquireDeviceLicense](#devicelicensingserviceacquiredevicelicense) - [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror) - [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription) - [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus) - [LicenseType](#devicelicensingservicelicensetype) - - [RemoveDeviceLicense](#devicelicensingserviceremovedevicelicense) - [Edition](#edition) - [LicenseKeyType](#licensekeytype) - [SMode](#smode) @@ -45,6 +43,12 @@ The following list shows the WindowsLicensing configuration service provider nod - [{SubscriptionId}](#subscriptionssubscriptionid) - [Name](#subscriptionssubscriptionidname) - [Status](#subscriptionssubscriptionidstatus) + - [DisableSubscription](#subscriptionsdisablesubscription) + - [RemoveSubscription](#subscriptionsremovesubscription) + - [SubscriptionLastError](#subscriptionssubscriptionlasterror) + - [SubscriptionLastErrorDescription](#subscriptionssubscriptionlasterrordescription) + - [SubscriptionStatus](#subscriptionssubscriptionstatus) + - [SubscriptionType](#subscriptionssubscriptiontype) - [UpgradeEditionWithLicense](#upgradeeditionwithlicense) - [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) @@ -167,7 +171,8 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - + +Device Based Subscription. @@ -189,45 +194,6 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - -### DeviceLicensingService/AcquireDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/AcquireDeviceLicense -``` - - - - -Acquire and Refresh Device License. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ### DeviceLicensingService/DeviceLicensingLastError @@ -375,7 +341,7 @@ License Type: User Based Subscription or Device Based Subscription. | Property name | Property value | |:--|:--| | Format | int | -| Access Type | Add, Delete, Get, Replace | +| Access Type | Get, Replace | @@ -393,45 +359,6 @@ License Type: User Based Subscription or Device Based Subscription. - -### DeviceLicensingService/RemoveDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/RemoveDeviceLicense -``` - - - - -Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ## Edition @@ -1064,6 +991,258 @@ Returns the status of the subscription. + +### Subscriptions/DisableSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/DisableSubscription +``` + + + + +Disable or Enable subscription activation on a device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enable Subscription. | +| 1 | Disable Subscription. It also removes any existing subscription on the device. | + + + + + + + + + +### Subscriptions/RemoveSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/RemoveSubscription +``` + + + + +Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +### Subscriptions/SubscriptionLastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastError +``` + + + + +Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionLastErrorDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastErrorDescription +``` + + + + +Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionStatus +``` + + + + +Status of last subscription operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionType +``` + + + + +Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | User Based Subscription. | +| 1 | Device Based Subscription. | + + + + + + + + ## UpgradeEditionWithLicense diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index ad27537130..b5e14bb5ec 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -322,6 +322,153 @@ The following XML file contains the device description framework (DDF) for the W + + SubscriptionType + + + + + + Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + + + + + + + + + 0 + User Based Subscription + + + 1 + Device Based Subscription + + + + + + SubscriptionStatus + + + + + Status of last subscription operation. + + + + + + + + + + + + + + + + SubscriptionLastError + + + + + Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + + + + + + + + + + SubscriptionLastErrorDescription + + + + + Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + + + + + + + + + + DisableSubscription + + + + + Disable or Enable subscription activation on a device + + + + + + + + + + + + + + + 0 + Enable Subscription + + + 1 + Disable Subscription. It also removes any existing subscription on the device. + + + + + + RemoveSubscription + + + + + Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + + + + + + + + SMode @@ -439,7 +586,7 @@ The following XML file contains the device description framework (DDF) for the W - Insert Description Here + Device Based Subscription @@ -461,8 +608,6 @@ The following XML file contains the device description framework (DDF) for the W LicenseType - - @@ -554,48 +699,6 @@ The following XML file contains the device description framework (DDF) for the W - - AcquireDeviceLicense - - - - - Acquire and Refresh Device License. Does not reboot. - - - - - - - - - - - - - - - - RemoveDeviceLicense - - - - - Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - - - - - - - - diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 3dab9cc693..f511e6481b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides an overview on how to register devices in Autopatch -ms.date: 05/02/2023 +ms.date: 05/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -141,6 +141,9 @@ If your Autopatch groups have more than five deployment rings, and you must move If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab. +> [!IMPORTANT] +> You can only move devices in between deployment rings within the **same** Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. + **To move devices in between deployment rings:** > [!NOTE] @@ -150,7 +153,7 @@ If you want to move devices to different deployment rings (either service or sof 1. In the **Windows Autopatch** section, select **Devices**. 1. In the **Registered** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 1. Select **Device actions** from the menu. -1. Select **Assign device group**. A fly-in opens. +1. Select **Assign ring**. A fly-in opens. 1. Use the dropdown menu to select the deployment ring to move devices to, and then select Save. The Ring assigned by column will change to Pending. 1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 2eed6eee26..71ba52fc37 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -127,7 +127,7 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu > [!IMPORTANT] > The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. -> Fore more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). +> For more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. @@ -188,7 +188,13 @@ The Windows Autopatch team is aware that all device conflict scenarios listed be - Default to Custom Autopatch device conflict detection and resolution. - Device conflict detection and resolution within an Autopatch group. -- Custom to Cstom Autopatch group device conflict detection. +- Custom to Custom Autopatch group device conflict detection. + +> [!TIP] +> Use the following two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: +> +> - Review your software update deployment requirements thoroughly. If your deployment requirements allow, try using the Default Autopatch group as much as possible, instead of start creating Custom Autopatch groups. You can customize the Default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. +> - If creating Custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with Windows Autopatch, and already belong to the Default Autopatch group. ### Autopatch group Azure AD group remediator diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md index 789a3b23e3..fe0551604d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -58,12 +58,12 @@ Alert resolutions are provided through the Windows Update service and provide th | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.

Check that the MSA Service is running or able to run on device.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

For more information, see [Free up space for Windows Updates](/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65#:~:text=Here%E2%80%99s%20how%20to%20get%20more%20storage%20space%20on,to%20Windows%20needs%20space%20to%20update.%20More%20items).

| +| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).

| | `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).

| | `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service (BITS) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/security-updates/WindowsUpdateServices/18127392).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.

Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | | `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| | `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index c4e5d43423..cf9c8484b0 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -29,6 +29,9 @@ The policy setting has three components: ## Configure unlock factors +> [!CAUTION] +> On Windows 11, when the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock. + The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. Supported credential providers include: @@ -40,8 +43,8 @@ Supported credential providers include: |Facial Recognition| `{8AF662BF-65A0-4D0A-A540-A338A999D36F}`| |Trusted Signal
(Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`| ->[!NOTE] ->Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. +> [!NOTE] +> Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. The default credential providers for the **First unlock factor credential provider** include: