From d07b0d86f6869b9e1b4e902f7601b8bc4682eecb Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 22 Sep 2021 14:39:09 +0300 Subject: [PATCH 001/122] Update token elevation type values https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9920 --- .../threat-protection/auditing/event-4688.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index fbb93d7b9b..22f0be469e 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -154,11 +154,11 @@ This event generates every time a new process starts. - **Token Elevation Type** \[Type = UnicodeString\]**:** - - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. + - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. - - **TokenElevationTypeFull (2):** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. + - **%%1937:** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. - - **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. + - **%%1938:** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. - **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](/windows/win32/secauthz/mandatory-integrity-control) which was assigned to the new process. Can have one of the following values: @@ -207,10 +207,10 @@ For 4688(S): A new process has been created. - It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. +- Monitor for **Token Elevation Type** with value **%%1936** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges. +- Monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges. -- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. +- You can also monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. -- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event. \ No newline at end of file +- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event. From 356e56d25d3fce5fc4db68c9b5c94fff29f77a20 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 23 Sep 2021 09:21:09 +0300 Subject: [PATCH 002/122] Update windows/security/threat-protection/auditing/event-4688.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-4688.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 22f0be469e..1aae0dcddb 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -154,7 +154,7 @@ This event generates every time a new process starts. - **Token Elevation Type** \[Type = UnicodeString\]**:** - - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. + - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC is disabled by default), service account, or local system account. - **%%1937:** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. From ea2b7b49f1ade6c716337155869509e06ab01010 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 31 Oct 2021 14:09:51 +0500 Subject: [PATCH 003/122] Update update-compliance-using.md --- windows/deployment/update/update-compliance-using.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index d27fd0af96..8fb4f00faf 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -56,7 +56,6 @@ When you select this tile, you will be redirected to the Update Compliance works Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. -* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus. The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). @@ -66,7 +65,6 @@ The following is a breakdown of the different sections available in Update Compl * [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment. * [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. - ## Update Compliance data latency Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. @@ -93,4 +91,4 @@ See below for a few topics related to Log Analytics: ## Related topics -[Get started with Update Compliance](update-compliance-get-started.md) \ No newline at end of file +[Get started with Update Compliance](update-compliance-get-started.md) From a4d8ac7e34690842c5bd41ffed6ad41f22aff6e2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 31 Oct 2021 14:11:24 +0500 Subject: [PATCH 004/122] Delete UC_workspace_overview_blade.PNG --- .../images/UC_workspace_overview_blade.PNG | Bin 25858 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/deployment/update/images/UC_workspace_overview_blade.PNG diff --git a/windows/deployment/update/images/UC_workspace_overview_blade.PNG b/windows/deployment/update/images/UC_workspace_overview_blade.PNG deleted file mode 100644 index beb04cdc18268b912194ad492c6a28329bd4aaac..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25858 zcmdqJcT`hhvo{JVU;|VXkgB2}(z_rK5v3-CBE3qGYCy!$NfZ@Dng~b-5eS4(M0yu# z(pvx_6eSc1280kG34t%5?|a_!o^#i|>)dtM{qFt4y~!@~%ri63JoB5GZMdO$UUuhi^bS)rd8eT=nlF%b+ZuQM?FbFDGX9Z()lP&ov3o}a@r9;glAt1b z`4q(a@ee)5A7>a(2!(#Ucl*KzqFNAne}B z(67<=!_6TdKQ6a&-qtdKF}wE$jxLv(0j7co4b-#-@ak$F-dbg%1lb08c;@>#nPaVgotT zLV~aEE_7VUg5Ryt22s=qdx>661($wu$B%D8Q#YmjQ0AIemSFhsSo7V~5*}-;XWp1E zN=mrHW8&Nfl#~N_hmveeP)(3cZzS`NnPo)}7^t-Ovw%fngobDI0O_|TbLvSU^NUl_ z!}#m3a8+84e4o@yeHZ6n_>17gx?(sorJ_^o?TuA=XJgY&G}@ZVj=J~7NNMwpWr1Y8 ztc2wSdHOJI8r{OLQXf|wzAn>}1Xfu~ko}VL>9EU36(0OX2rkT8PB#cNkiVdgeC-CZ z&00wbKQkK(9u-%w2LO!)zo-`tOkd8B0f;JHDk*=^{QMR+z{Wf#LN!DZ&jm9fr{Dr zjqcj5eYnF45OrAQ=>%e`|RP?(9S;X68Pfcwa7NF1wyamw3tA^3=buxGArPhS%;ZI$Y4!a z*ywlUw8xz{{QY3pZ){}TbDg_sO-(Al=G=?rHk#uXnNjMSIih2%qlKC9huw$A*dI$a z=a;WHa+lU}_F>AB$cj$uq&e7KT&%$+Qjv)Xr+aSwx8e&Q3G`6^ubt$OHmyVfG~d>| z;kacoX^pe%9`@|wMv_A%XzeR?bYQGJYUmrO1CLGJ0KZni)N=M~ucix$PW**V)Up60n*6l`RbuBy=SrPEiB z`LRjBNaxu~V)&Rje=qFqEj2B;bbIj9E_}ZGwD4;O#o*byy;lhOp2r)6?^o2P(B2+% z)`PTTZ+1->$qrKGpSjOuU!$GwDvr2gOPPScQ#%U0gSF;Eeq+7U79bz#O8kVMNZQK# z)WmM$g4Ny2@xNK*anxk&xJaY(M^okpHVQcbIw;Xxa!xqsa5vJ(n6446!kA!b;r2F) zD4VmC`MVOa_#a&$5v|dt0X6{25daEk7GLjlA6|sbL*pXFH(r3Z51D`+&19YyD7Oas zTO~$MaCCJ?zMPxj=(p!gOxdWXEh#U@+KXibjS7q|zUg1>c05N#Uy0&)C#=+&12Rqv zqRT1wELQqm&ZBjrTSArj>umY<_nQi7DBiZXjsza)UA_VGktpGJ5zH^HU&sm1F*SY( znz702<)9{Rpv|KPh zgs?f*NJgDi5}KMxf$XH^yv3J9KcnmzfCwbFV5~djy+S0)qm4Mqhkhf)=LgA^tOP*~ zoR)jB9%minkxS>TU9VO+;0?vr<4&NH0=Uc~g$&^`PZvPaFxNxp%okvpSF;q)nUgJY z`PW9BcvzSkDn-qyN5o5%4ZJ1)Yc5Tk&i1X=7wy;Jz}~ z@fPeuk|%M97*x;Fcgx5#>yXa88V5WB!$+MbsKX35U($~QpU<lS^384rP%6mCKb#{Nh~-}-Un?ELyi0AhREfDgG3qY9WK&kJx}s%0(wu?IJ(;A! zz^W5wpyw(J^E??&mOdkd=CN(tR<%@@y)qsBEVaaVd315%eXon0T-v~B0G;(SxNiow zO`a~Unm^+dI=?C2OWhJ0aKbyK9Z8tq>+9@N2u3xgK$h1jrCn zv&R@W=1_%wLs(b>^ssD|b7$v5LN# z6S9~dKu+p>T8Gs>Jn^1MQ}@lu^wy)u1?)2Q?hSPm0OZ>wXS z7KC{2>eCr;ylvt`bKZXJ;nOXb@fu@Rq3sD=8ZR83?&JpF^qK%$W$KPhl} zk#XNh=;n}fMD{|ZN+i1Ui*8DC*<-L;!;9IkAjwIeQPTQIfjtwiEb%0IC;Y*>6!omg*g*t&^mUrGI*$M8mor83y@?(p!5~O}Z7ktWP$x`s)WEG>c zLg_I8+Lw--zNfzn+slv)!P7I3=teGo;k?SRv-^i0vA-fZa-1%wBMayLn$aO9I@v?S zJFtamo zLxg)UxZ^g8uv!VtD*MT6=|{Pq%AMWeV~}0}#-oPSe7t(p%<;P!H`6k(P^86fsHI?lG&7&yf^DvTFf69R1#QiB%ye&^=d_jn^p z_#@TcS|%QU($>|QqViMy&);;FJm%~y)Mxta$b@85iEtXtrIS8n!jgVRcG;Nmqs3Fy zv%X8oFcgDD;b)A7OKeZ=T?TP82mJf8zhgXj2)?jeFuTg^TZ;cmZxo(x7tAFxe?%o2W)B3f}O#V(s;Q*Z$!TXB(qvUyD1}b%I_4w8> zf5OQ1WEI3Yum2)rIu9g)t&X<6$cg!8#M{#CH~%5l-~BPrzgO9S4R>;yE&l50j}<9PlQ?6UA%D&3 zFPEP&*0*^g|6223D?DuCb^3oFfG%PpS=1P0X$C*40cO& z#jhyTxg>D~mxf4_?u7rxeKs@vA($8`fJR?}^aXzEpQd{ynraNqV<)%pgU8Ldk#e2X|E8Vl~Q%>Ms+@J5iz351Ha<}QuM=#Rn zzZp@6KHE!lKX|3R<}L^GU!(d5tNR2G1abyvQ*i9?pEaLwo$j{&LGVDH;og$_f;zA% zJwCdv{e$2?xZ9WWfe-nogy{tTOpDIlz8HgUm7M;#>fjZ4hv6dK|NI|LO<*9Ren-qN zr~z(HH|jGie>FfyUXVy~+b|jn=Ity~ zst%Wb_wyLw_go)beDqLUh-6Au<;+dTscxzetrD_J6}Pbwe$}Z6OL;idnP;kbKliH{ zSG-7aVGr@l`Gn(zQu#gPLEPO^?QQ3kYx%*~%1bwG2|3MR! zss-I}n^0(Negm|17n*Uwz1d7i=g{MK)LU!R(9e^*@rkIX%e_DRL)<$`7w(<7-POtw zxM7pn2|iBqYc1`c+m+fEm>UR=3(HQWmDF|b9}~K63O_;}@x!>Ad2;i_M{hYAx04>2 zi0pKp6p-x{vbbnT?o)KpqNyM~tyl(X0J{fT;saBi)rX0DaGa7lxmcaVJ zQTW-V^Isb_^PY7MKe!xxh`eJ-wFm?RMB4D!G25&0TsaqWXezOg6$S-vriQ3yxIKUX z0}8LQifM`|Wp%1^!Q?x7JH(@6fYL64BAim1kJj>)GYk3e*WQ^k4nUM{q;()Xh^PN{W&}?@O;@u_84|rrY}p#g z!g)ZcVudM*VK#A!|@tq8)Zpons{Tqw?)=ZMRT5u z2b@F9;B3k}Z zEPItBzKJ@uis_bWdT{*tg`=TbLhJVqQUZY~l+HL2kjCQ|PyX{|de-_>x&Pm^^=lvv z5j2N*y8noHXQt0VmYOsCGNO-ZKd)_d`R$G}*M3slHCAVR(MBSbvN%G_L!dJd1}cgM zDT}_l*#3A5&33(1abwcNeU$bEm=4#QIvZ`&Gzsr5ML+`TZ(&!AJ8V=g<>cbd6_f^U zZ%KmR?z-Uby%Sb83x5e+{uPu7-kjN(_OcDbm-;$U)7!&3ir_YenQFSb6GWr9ulg<|)$J#~tc&(iDN(oN#jZy87gB#jU%Eryp zcB}F%_J(CSbVIT}rHiWV*f|?a7rvzwxdjT9x6`a)zqTxc<5XFp1sooUk0(>s`yV%; zM2XzOAr7)oPKY%^{mgx+e%COp4^O-_AC%-Mze;4Z5r5!s}! z*TxUbZB^%JXA>XiF1JRa&)m2u+%R-^Vn#pNdsI{+5twYhlcTQGTDckAT0RSJgmw*Z zrRMNoo>EL-2!Q??@i`3oKo@z1G}7R35~ptT<68k&1?T-zZ?`>JKlZh1YDQjz?_A68 z9Xs&ZQG=BCj7oz&de^=$>tMO4&0EWlX1aw{%pu}Kn;j6NkrPodjI`AD3`*PZXo~k4 zZDDthTtSTaMTzk9Hf?WwOoj_K+FIKaZHI-=01_MfE4+)Yxup&i7u++)&SLEl>W)^~ z^#Y9qd?&=YyHV^sdcaAauJ{v8#xBolR4(d(?$2?Ac@58`INU1l6;Tx%P71YQ$+U2z zuKTvtih>Kr&If;U?!q=>ld3W&l9E|bowxJ(*ODZprZ{`F#Cj7~N|GSbwGR+OTo=7O z-K}QHN{eA{`oVYV)o$^>eOq}f;LDn!uYzwQ0kkNzGTepNbzE829omj?X-*3j)}kxl zO4=k(gU|cfH0V3#dJ40*`n_#mT5ERTP+CR+<6T#Omh8?P@xF(5cIRdu z;X6#81k#hr#X)zHcUwQ3E!>(?58*-h0;P3oJFJzJ7F3Z?{#K0JjrOQnt1-nO@$cQ| z@Ne!uz~8ec*=$!TWwIk5L|(xOMRF-h=7!X(x?Z|M_9d9zK1}dg-QC2y;~i! zL$%rYge=y(UZVmk0uWPE_h7RTRg5_*%1XDVjJOcrJ~rBk6W)>_G%YO}A~Qx>Iu6qa z6DHv&{e2JNd|ON5 zegH>K$B1h1tT60~ef+wj$M9^-cyg!yZx!yW-ry$5s-+0yX*lRXHngcod%{`I@zk;| zHEE@vb%fhhOJ1l`$JKs1LtG#%DW*zWRz)RarN12vIvMwf#Qn85{Y8iZNytzCJkQjgpIl=R|4CIv)+?G@zT$L1|9n zjP7pQiT%10Ml2phb0mxF?%yXd*(7~`_!%HI)r3M zRqSxN6!NN_2|n8|p3=AXpwfPCZRT|VWl*gut>_&v))}MLSt>H3Rko)`nt}IhRpkz? z+nekWe2Sy0R7Lp&qXe3$dRSz?+Is=6X!c78Nkw%@!Iu~E)nWyus!_vSAAJ0F!6+1m zXKFMnHP=m^R5rro*VG;z6^;U^b4-{w{Jz~1qji_;hMyd6SK9N z)Sb-n4+L{#*WbNP4Rp7{-NRRg$hl{GxCH)qN-v|zC($3pV3r~bJ*TxoQE_(E@x3eW zj6OJAuBtxgU7dd6eDVxe8%S~T?a^5=4`1FF8#Q7hObe^R*^fzsP_8D&lJXdj?An}9 z{S`kt*sCcY>H|`^gAMGj`%`zkFJ`)F=BkmIhOTj!i;1+3>wjf8dHJ5qMP3V~@1C~Z z*A|L)3HO3d2xGx+xw3k#QLTH>C>14=>xa?DLpZY9!bj-JGi}W+uBWa~SdlA{CI$US zQ5zHs#5bU&QemfFVr_O#O7GTGGU}ylz3$j3>b~O{Tyn?dO{UQIJOkNhUU@D6A}$A;(bjdU)=aJSAM671(hU}JWgSQN za`pg{{heV&6-s`>V_?L(-hD-s`{lv2MQO1C91!%>)y%v^4Y}bH)H&6fAC~iBw$Av* zLe~jYm?A0V#9d>reLa>xyacd2Ws)a&PB+Z+#2^jPOT<2gXM>6KtB1lv01#AnoCZg)V*9a%%l?g3v%@>Q&RmNM$+UlQt+k;+BomC6IzET6lkQ1;hPFSViBKaWz%;vM*ttKC2BHgWbjCO zs-#?%=k6SlJ-^9Ir!MJ^mO+?$40){ni4=~>tCh&>@T|_vw>5^) z;9sDvD@%fy=?-TbiYXq6aK7KLC512PZJTwh2(Ia`GcMZcV&^d@*$zmz8^BM}!{7Wn zG>s{rh=z(Yf+kK#yP7VGyhPuRmh6GNlw8o!DZ5 zZ6&6oMEbL>P3_$-E|WVNJ-aQ|Bw$Ss>pgf{|G{Pc*2v7{_r@br8+X4oEqW zt)3&1098nMTk+QTZh>$wMwiBONi z=#`@!93Wqc`>>dl#6ZT1clOgd-&c6=C3@}XZ^}m)AZGSr>sROHR!X&q^Gmp<0#T(9 zy#=rt-PnNxRD0L^eVO(m&k~0MVg>z1F>Ve?;aoipDM%w4_xEopSJXJ$;oP!@H_Bu= z4QZ(==Oy=GkVdtnpBYlX`U2Wsa3*CkvrPN^(ptNir^#MO38MDO7+tFkb>F({%?jpk zQE2_Nn<3l?aIN%0k3%)8BPCD{< z!43ogJxOH-eg8-}DUFPgzU!u3KkF zq-*H%C48qEf?N?60U?2=J_B)*nNGn&F37WYU{1n`shVb0GS3Si z%w)LYd&Jj2m95Xd9^6ZxKXwVy2~6J-9q*eE=<4m#i5HB(E*xsZ0zcHcQ%%$acR~}p zZ7ej;H?jttEF-jAj4q-TV77MCjo%h1-+phLno}suiu)RKqsBNdd_L+iBuX?%_Z_ce zEb2s@TuyKA({4fiVNB{16X=b!9(SWu6J2ZKr?LW_;3w<>r5{G&QX@H@MQAt17&pyess4B z@H?lmYG0Ioj|VW7H#$e94E)rauW=FeBhSW8E%JYO=ef+&J zF{sk0ZDz?RMr?lVx?(GH=#fDxX3Rc>@Hx!j5@6-08p+racT}+LP77|S!Czf1JWfi_ zZKzCEj3brzb|VjnD9n{)m@$)C*|0KuU-GOvcv_?q8abJ8UsCnKNLu_4BG0^5f+tZ{ z7j?RWmSqEZ3rDnY<*GJ$qAgserDnWJSDa1Q1AsvHXyrEI03Yws6!us_aP>han)ZJa zhVJiEp(>ZwAqQ=2+P4op-ckIkuLmwvga7n_)47l@bO{i4K;-XE@%~?9+5d-$Sj&;j z?E>zo?d=c`g7ez~K=|ZqR1;~`8vm^ng0C2}d$ymsxUl}69*|e_n;`aRTO)#d+uATZ zM)W8>YjNZf`|idt7%Kz2c4WWB!mSN66SS&k&d0#;#AvNkB(vNPyx)7_>PE;=QKKDV zU~njZL*LgJ8Qu&1&(D4sObnWTx!+75SzT;=Bf75T#Mjbv^Kr`9s&U6;V{SJ}#iJoNy3&{#u3PBxTS|Fx+jEYAplIq@nv$5dkz()dM}yR3&Vx&-Nmx8A>B8 za8hPw#o_fWz8;x-dvAODlf>PUb9jam&F}(0cD`BYRE^{Zy8#lg)HGA-rE-=hcMg%g zl~z$A$T!J)p2GLAxhLW#p>?=<*Qr3Mj`Va!JG3zj-tZIN(K@pArN*`X4Y&$HQp`9}rFudyfJREFHhl?@R&I`-)SmM(Ho|K51hidsl&`PW6Tf*JW96m z264L5>s;`C4`y2n<;2E=Lyi2)9xc_Jp7_*o&y^L5ub&o2MECbk2(E|8T4HT119-fi zB>1`|?~YVp$E;;wD1O%J_1QaDDlHqO+qSVd@49JBP+Hl8!n?%7AFD3_R=(?{gKUsa zA7l?loaqt0sw9g}?nSM=2nHehdUeFgBNF(dikVTg@YpVy?;)2%OY0zV;iz0fV9xg7Ak<~J zDP}n3L6@}xA%q^#53q?8w} zV2kWHH4YS81 zaYhpunM0tZ<$kvEO-(>hACVhGvHqq^}nJ<(_ z+RbK1!%PyF&QZBlY9SU7kps1bEwqH#m$l!ZK}olwTz0n&0@vFBrH-rtOA`|ACBLih z9SRz9c5i8Ef6p2cGVY%F+R|tB9=#3RRBCndtU!cKV58j#z|Zl4XU9p%A4z3P|kNNk)=sTnxbT>cfqDuy9=wZm&+M(wPy0^+M)L zgb_3kds~Snt$xR6jA>WncG2~PVSH?e zHje%ItKpIktW;;nHV(g9VuyMsZjG+w+wfRYhHcwX(Siv}Uc8%mhnkK%q}q*TNl&<+RxSiTmX0eH%DOfdNOQuT#vAw8|nCf4vnnN*l>M zf;2~$XlajqvyU5!lOIE@X3naSWI|X@7WI&c%TB*RZv_4NFrEH8N4_HjCsnt(F4B_5 z{lTAqTz%bQ$ko3VHFH(U^^Q!I6o>ZO#CL};tXsoi0n?z>S|i&p8G*?uc4)<(U&j6Q zeTY@Cju`Bv-P9^XikOnpXalWZ7A0xfJ^zuTQVxqs84_E6ZQkFIy*UFfQW>k)c79<6 z&)xY_Vl-Tm#X;Y}@8JVKv&&t)hv!UE0rHEVe8#P!0iSHfO6{73zmwr=uyv9Z&wQ8p zSw5MjzLxlC2lqj}Q7HMz5<>oml(d`j-4fb@dU}1m+M0>hP=<8)i@<9+Zq3bs+Gkx z#KXtdQifSs9WLq?$Z73v(&kE(-L6ziECnqE=uM=Oj68i(0Q7LB%|{EnRBC7^i!^>4 z7$@^)te1MMJ^9|rbo!Q8i5h+`eRv9V$@u;Uk6S9tsh2C9h36tTqDIa;iSS6p%q+79 z$PNDM9_JxZpw7bvL9Mca=URX^KiJ!TSlwYx-Hiju)K^n~G$%J!3rHfB`{5(ST z&I3*H3WK--qT4f!_b#1F4wQ`*_dYZV@{LkbZ)O15W!Zd~{wUrR66xLZsG z?BOZATh?-{q~CB13B|0^$C_szXri7R9}f0R%c!N1m49H#rR9-&zztRIV91G+_zVaA=Zn^&Vk_xQ7PKleTtc9<*%{$!Yk zaEzUg?se&YLma$4Lby;`d0Vp^3(4|*l_`HcR8$9=RqG$TU0O>|CAc-k`QAs`4LRG{ zgH4of4}aJgVlpgNQY#TQYu<58=JfpH#w(%HAc@d!F)>wb_kHltWRW(vHiz)oPWrGJ zrhb1>UU{__!X7EIp-x&ZX@WawiqNB7cRcw>McmimlSOjeN&!0^rs@|9I8yFKUVN7h zH|oN}Iy9%kvnQ8Wp)X0Daovat&rG> z9-=w!EkQ1a5F-;!vTWNGAyIbMEtY&cyx+zoV=y@K*Dfx}tBi2AvE|xN36zr__P=6~ zzQDD{i8~sqV0HC+woEhh8SuazI&XV-L>Y*89-Ur^*g16Q=8XebzDGbvacclUUbKvlQ7kK=iywFR5RD9k@$g+)sF(ex;hUQ+>_^v0PMz zDTQ=kJW3jv=>>(Tn{&;Ah#l`6$lYD)DjKl67K6v2{uD@V3+ycAWmZD)caPFB)Zj23 zj%`f`6o3)L^PZ^k=eP?$qK0M(Or_l~Eay>UZ~wo-XgCW_kzh zw;P{4OkTU4QVS4h1r|K&IS-V+jD+1_zsssLY4;HgPF=lL(U*H7?3`KA`0nvsq$jI4 z9Xs`L&p#T5xB8MTbZI$(^Sfj7;bLn??&S*PH%M?$1@Dk^X|*LRL)#o#AuEo?lXeW8 z=jS>&T=321Q%4dbWdNLJ?-CLU9I8K{h85+;CMS8!Khu(HEj*_=?ZMYqx*x)7a1~3I zH;D50>YNn>a2In=o8cuhbg5r_1rCEa5trOd;FBAoNG1mvO}MItef&^skrJ!t-KUeS z*N~$xQF4dT+(uVLY)!2x3NSn7ez8Oo=m|~vn+;Q#y@6=w?77AK6!X{5uEeM3tdM|s`ZQu=MRR&fHREt{;03#Qy?!PJdVIguI%BdpN4_;-WzydrAw1%Q&q_;) z(0}npJ;nB_Qu!60_!2R&306=7?=wC6(bfZRd;?$VHqLZ``{PVvYM>`YysPX zuum`%7<*Z-nxyjc(1F~;Wu%kKCmE_k@8t$S$vr@~nT4WGJsBlEusjec3~^!>&jVvm zC)iy-Kt#HQfe9B$0I6Zo?(y6Dv=?T`q0RE8 z27ht$Vl!g8XgQ_~&GGE{{Pit=cFV&M?(<7`41{`+W!dsn21 z#{yc)3jI!M7&}BziI#CN-^A#_R+!KbWnN#Dy>y5A=2r#Ex8oJQ%Q!qLPte?2GFP$K z2x~uA2{-1SsMP}5ZaohiBP`M7Nbkk}eDnD#0NIqa8FbiXp>82ad(t36!8+u@$QULg zTd*{No}T`hJ(1hsY|!w#Xr%A+s)eay=QR7AIDnZHY~iKDXPjt?CXZ% z$t5@3V^U5tBp+nZ#>IxQ|_kK)U7Y)wr2$8a|=D_(ubFJ&X=!u}WzOF49qgW-H z;fp$eXKo{9x+M@|P(_suIqiSF=Dr-;o2*ROs3pEjtc35|LB^lqNplh{mU5=(eWGn~ zC4lGwv*KM~k($aYmZlC_^S-Q{2wGkC-IXVw8HSGs+-w+j`X~ZZYp+I&!ASTJ_X_0& z)|upe6^%^oon1vq)ft8C*@kTVY@u9|{+joK{4z4_WC-`)@SWLtg&>I9<7xc-m@-ph zw700gV?CraBErGcC{wYF~{D~d;EPM7^N+J;5$! zU0`hKT}=m1?+j(Qd9e!JkpZ_-t0X;wtl&1fXEmb!kpG$aFq0~Ud8R$34!+L0>a*I^ z%Tu+X8c6g|OG&;_JyKk$q*^fjm|9SeZbVESS7;!;sd@iR>QPhS=5wl=HpWkC#kBp4 z+^d6v79#_Vh_t_$n53fij%S*~FB@C%wO-W0Z~u`~UP+XaJUc6$2%ktp1u2$iyV?exReZ)Bi+k z6DPyY??}T=07J4YRFP~8FEtLJ$aex40)4w1=+Iy*A8V;D0kCwP-42=M5_LNJYdg9% z{#(%n3B*&~?yNvUq9Q75ZL{@QM!5)gnj!dwJgbtn2U}p=Z(%@~T{&^%NJPqcq@uJvo)xrul7H@7RvL3zD6Y7bT<#SK3A9lNsntPt86FiXQ0 zb{I*+$o1hNh2bm~HYeTpk;!7y)!gPxpup)H=N(mU#P0YyIv=xCcj5C*?fT9UF*G#S zy;(NmBA-wW2Tw=8$w;^e>Fy>{pdP1C;d3yK3h(bEmv*zUh1yS!Cy%^^Q~XsPX~Hg( zoZQxHw-srzJq(4A^5z4Z;7 z^hCkFEHsumP^ZIz+1SJRR^xTDWx9s%t@ZWohTS(+&bN57JGtM1a)&u(>QcS`0l0tvv&TMRgScyf2e?}p+Ua~P=pqqlf>*itx|CBB` z{9NU6(~!Rl7b_RKetIrgzWuN`bC|+DAH&EM);MNB=FwRvzE(_4=k*Wgoy0_btPN$wnt ztwLRtd|r~x<7FmT(S+>PZJh9b(soF#_jsh!_>lGofXax1M+pzf2th$`t76iEBiG&s!N?0djxUx`e$XEY5>+BScxxp zOT`6TcBKFJ3a@>jHu*)%F#fEQ&c9PG3v_bjlAw_^KPW1kC5i7Z{DM4{f&I9}bTi@r zT3H;Wr;`~EaM#CEpE1pcZqkca^p@Y~|NYLBDX6CPE-^fLF_Yd-yI-ktSjU+GX+>4j z#vRf8CM6AMSDAU8^6-4Y+bh3B%HSa8)7rPJ?ZTEr|3g8^tgoYCjz zB5?#ymD%-1{i4*ZPh~zosF%|q>YN3wKD@Ami9r_~#w0I#t)t2~QCL#$s(R=AiO=sN z<4`^=_q6suHeT3N6iOJDCA#8&90KV9Ym4nci<0e9d_K@EY)Fg{Kp>)@h2cIunbD77 zD*GO%YEWMpAvF4X#POW-fdWy9gCBZ~^j(X<(bf@~+7N+4Txs#7o zB3Wm=RSy8KQ*Gw1cY5}_W7ITKu6X@Jq4GB6*2E5nmZPwxpnvUi$_Z1_=B)~7d;GV& zlnVlJU2qjAtV%X6fe#E6LwhwuCz5ZZ+;@e%0W9Fz0)DRYXg((7Rljx?<8~(&C4O7M zGa0=Kj|i!dQfw+mO!XbkN;A}+cQp2CWN@JKz8+x=@a}oP6{iWdxY221LgG-KT8JA# zvNNyrTzIfZuK3j&88-lKd=u8?K)5u^^abSTydGc;vfA={T~g+bMxO*ZjNTjWpfG%-b2Nl$c|H)g@IKX0o^fX`McE?#Hca>u_|qi!D{(Mb(|f6R zEom%qNkk^WROW?Mj<2$R(DO>NN~DofnDMx9@cFY+Km5;tMLBf^E>34j!8(|NlNb2T zJW@UL>}$t-VjGjcj&O49ax>Cl7NzD(5U)t;;Xm&{Sj$xz!+S zsjkcFmQk(>PH8u|J5~9tvOYO|a|TA4nb^EfHNk_@t3)K|pPg3qJ--|)b8PL@GOko- zecM<6Lt}h$U_U${c&e6gBk=sA7vDHDwdG+l&X%fFY1k$1ptoF4j?#NPKn+X6I z({sfuYfjLQByW?7fP&H=M;C?i6eSZ_Aza2t@UDUcNs&UnAW z_&Fu=QTFi1?b|hv?mUa{RwQr^Ew;ZKtMVj{>IuM`Sqp9mo=1rypI83=R<`+ytKiAx z>Sged((8LA#5d9W)@CUpF<=G7ok<1%;qN&mizsxH9MhQO|4$$V!z4#nQV{_DQ{w|u()R&JS0K3;aCh~(kAm2J$Uq`$m3gbA zIY~O#HmkULi;1*6>&NnJBXNkIY`gc38S3W3J5k=oGYSd_&2huM;Y@LfBiu|&B*<|W77=r(Z zoev3>h1V{cR-xIT-@0J|hzb#_CR*-%)25t#$_P;P*06j{O)h!6}YlHKv>ZqQE*RLK}+qYHe8E>YF|{2 zp;sGuYy($XeeeceJ1T^ExgbpJaNyqH%aK}C_r~jxll)UMg@3V_ChMTUEGs6`qcbiPbw-CMG~|&Ag?$9p z0Q%G6^JK}==1MX6m*p{-;urT0m@ZeaNKd|bz&Kei{5J-iC}(~6_bGFUuVOtXgqM~{ zw;QORq1w{ECT=hXedEtBE2S$I8NaRItw#j5a2W~39r>?2t)b#IF;OyTa{NfAs#om8 zWA#JFi)wYkSm~8hP{kym)<73k7@#lQT1t5IhM8G!Os7nS+X`d6*^%-rBxAe~F9_~tuXhZAm5}D)HyzLTWW#&-kmYky|qD1yb}?xeZd zUz{_v3z5g~vCxqp+`wA5M`sHK&)|Ey6MPOd?M62vGAGYyFiVpc;9NLHVk%~`h|+zaOZ zwUg%V?)okSQS23GPCP!63~sh1DMsK#-^kR0WMXrsyQYMgY=P4S#=kRhuF28PSd`P<$Kg3i_ci8Py?QGMfrLSXq`JCA|I*hPtb05MjH7@8_ zaPOunU#QkLmGq>kUUjp8N;s?*OH)m6n9nkMcJ$BAp%43h5%VEm3wjY{s zTDEeoW2)L~Yv&1Ez4Fk~FRlUNv`}uUk$iz4b|OdB-}bVD`p-AMW!Vgw znph*J%2>{QkjcsIvnxWp*3FCm#a(ky?N~NWzEc16i$3zMBV{5<10U1?)!?ss|9ria z4U65$QT6>W{ozfNXA342{bP-gL-DbfrLeT8cJ8gD>-xB*i z4^IXVmde5YB?g!LzC_2|ohY#?jR6t7qR!@0jk?mN?PG6vFryYHj$lG0fWeGgWpgB+ zQs|JYVFw6Hca8(wz?oTGsV@QU{jyAX(yj4)Z-4`H$y#k{H~wLH2@IfWk2bbGWQ=@P z$x>Gb93%LgO?@HB&6b_Rv3MhaV1r#qtu09&(_z4Nk}q^U@Pro)Ff>p8&+FTNVJr1F zKK+keu~Z$32Am~2yG>8{Z>%|1pA)}k>s^_ST5X19);t#mCN*wn?0RW*e>917P$R|Br-!>QsF4_-MlkF*X$TD(yK`EU8Nf>_(0Q9 zT*S@ct@yq~T#V3{JpN2RcjDqm3CFu*rS8as1FX?-W&ii&J&;_2f;h(Y5u}DLzJWbI z3(}0&6ax}GsEK~6BLW-<(tB4>7~l&rUKti)Y(d ze!gs92E^{dIseI%pXC%~ycn8}_REa1fKPddsma3WZ^kukPv35BMw=MP-0Pz{R1 z78>LlYMU4F-7-II2(F{#dPiojyN3i9$#q?S7`-C{SnR&uw5POF^P?YEd*KQ3sDl(E zCMe@%LZK+Oum`el-1&y-6D&UZ-krf4W2l==8HFW%)Ioy6tjq{1R|QHgyK)jK)lWa8 zOY;ux$L!ZvutKR*Pr;i;PNaD7WCE6IEQ!d0`el8sp>yZ&)4I&Bq>@|J{*s-#FH&w{ zZ)S%&p(iVD9p`e~r1BR3b<=M4$g4twvt}#0iIivRi#yih-sr`X3`4kXGd!=3>!s|6 zVz4phNp*WVp09RxiY_Yy-(=K$HS#Z+!Z6%{CTB#Y%~ND&vHD{3n0OamUxKwUF)>l% z(R7^IYIIsF?k;=5jX7tXLAJ0jGF`Ra=a|_=cNB-1XV*;lFcgsLdOV9jhVG;L)dGc8 zk;rC~;uL}c{^fJi8?sPz4oTw;s7gTVCH}~9!Z%}q6L3HVRLnQs2n;7R`zW=;UvN#w z1y$g*T-b}`8<(})s2dld!sA5aI#YO}N*Ig1!nCtV`Q;STC=+Q!%Hi3)T?07+ZVz)j zU9sct8~&px| zIk%|Uo{@10Ye2&I=AV7dqeM41C1}m3Xxu_&S>2rz(cfjBsc+kz0r-~Jeo}Po9{mPq z`#mC^GNBT4P{sANLWX&gr8F`&H!7#sUBrG-y=d}>q35_Zv4d4{kam5Dmg_!zQz$D~ zp?xa1cRR>3_h}BXwCo>fJ%~~qBoT0SAEex-q4V*-pUwhxTTw)1YRWr!_ z2xgJ80FVaOxVX20T1Bo!DkuN{qgW@aq2Qib(qv6#NkZXOuZ@_sud~y_B|CqvCSxHp zZpm{5>CF4dK45=F>$!osX8N{ID&Pyp8~#sawTh>LB-MLfHp{A&GX(6cX_m>s(E|iU zSsIl?{B}bfAh3#Ox@XtjSf?iF3*+vicKmcL9YF|EjXq(wrSn-TCJ*D2-2i{nYJh7F zTx1gySlfPJ}k6(Z-C zg~~Y-^E>ly6Vo}&iG7{y-Xqy1b5|91-fW;-W%?<;S9BP_WhwmJQYtT`Am#vCfulA2 z2(T+N;Eu+0jQwC%FS=%_2i5AL;=IIvcfIjE+HnUw>D-;c->4=C;Lzv&N8Uq&{5@0L z$IJtBzJWO+tv4p={G5_Zw*qugpA@ZLezUeEMm7Go5X z3I6wVHI%Lg6ZqXH$5X{~?5422rEA?P_Afv8O?ZH9kdzMc%cWGc%BADKa@RKew-f2a z6V`}imVb(3md^LMF9#L}BK*ZAq;7gsbVjTGCAwB61%0=5igwMCgVP(6Bg%N0Sx$w} zEvLDtd~g717qwa!QG;7bdBABp$I@A|DC~XZx;&UkupG!0DjS(KI7!uep~R{CC8_my zqaBaZen0Y{YbtbdxpC4g14kY83ctPn$evfr1)WB9@@mZfjas#S5j!RHN^hPa7B*7} zDGvyo@9$=rAru|o#SioOHJg*tozX{7v#bM}KdFoXokdaiQ4w|8zU0m$@l&15teFcz z+EWN=?r$OR+|{77|!Uo7iWzMC1{qT>&X=hUT^xq%HwYH z$zahn`JoDaSv#X$32Wba>f_wp9X-Ax8K|~>TAOBH^ek;=u0>98wCO$;k`$ednbeef z^BDDZ98v3IJs(CV0M4S~R?;G=r}OHqMy7ds%9cxPTDOX4FFHS{BY|^lOKQvHmgHDA zduzSYwsAz6y0diNEtkb5g=F*_ z0}gg`_Y;Xno2B=be(t@jeO|z_g+JDu&yo$Q5Ljm<`Ns*)(tu;q9MPm5s^g;B$oQgEheU76IPyawR5J- z?G=Us(9od=L2@a+w!J;yjOz`MFgJl(?Q-kL^GC$~ab=sV<`zr$h{;k0;#f8^7__0P z10THQrT8O!l2_u!5`nO3PyAA4K5-4AYNGnskJq@bk?A8l)vSs@+8rC@J7B5cvF~_M zKFPjg@ER^cRjVt+%NOeEd|leQ{6wyhYmh^~I=ybpVf;#8>{z2ivL}(7Nf_s5e8?j& zXn>nPQ(SxRV+c1!bikZHk#8G!aIjxje5|SF^ z5QYq$lIpWegd6$eIFXrn8?rSDemxX~6K+Sk-%)Gp}Ev|w16tk<%pISH7u zc1qQXJ_anbT^x7_G+TV2NfZ7q-l9m$Ncpy0o%})u1#@1Wm5;zLa~j#~c_VK|TEk;8_B;_ujgFDqZ$q zYo00qZq)!p_9EB}Au7ltwv8g=t;TGncpk0(-hli&5wx^`kTTT#MjAiOzhsR^9D>K! zH?R!5UaT3;2gT^!>b3beS;ukxC8qI7+O&nX+f2&#kd()vm^yx*N+3(7k!X1KOi8Fc|XfVo>=(Hh?{;wnQUS zefwl1Y@9?ir+ngO)zYW&rRji~JA{E!j>zaY=4 zEQo%0c=cR6s`~yVzdS6&tpA88_ty$M_K`C4$JHOM z7Y`HDgcH&RvqN&+r9ZBH4Cq}@K-owKC!DH11rtw1=5t+ckLP!M-6+g)qj8R6a?Oh- zg&!ORs-6|ZR?v>>;*M|}K2|M!mm`b3p0kO*o`q;fe)93YQMFDMAO$>KKo3`dB?v{vkA_L zJgNWf*`2wFy&?mSeGLLHOR7sWjy@SU9K|U7CaH=x?6|^g5Ktz=p7h;NSIJCG-0v;% z4s(?}B`SFNh274Gb1{pLy>ScAyIn^l+b5B}d2IRmPZq)RkR#8sx$W@{ONqs0A&aBm z;E5WKK5B}Y!ubZCt^+!>Sx@*oP|!8a`4yj_5`>bQs?Y5dO82{ujb=|j2H`I~QP&@O zwjhoQ>Zs#kg;X#8&G+>9L@me%&YKdsx(m5_;fYS?cVS{Iy^g)FW2)_@_%zEcpg!Csy>(tAXMjTTg+( zzvg7PUqu87LJ4^#b_rgS|GA3u9k9*4>ghv4(`T$sZg=fsQ`awX=N{5TkXysiw<i(UZ7Dk2O~QrfO;kbE#;+P-gVYJ88}otl*^rgIpzmQv00Co5c`tQ(W43*KW!4*= zrMoiB`*)|Xf=xO$DB=H^kM Date: Sun, 31 Oct 2021 14:11:37 +0500 Subject: [PATCH 005/122] Add files via upload --- .../images/uc_workspace_overview_blade.png | Bin 0 -> 16055 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/deployment/update/images/uc_workspace_overview_blade.png diff --git a/windows/deployment/update/images/uc_workspace_overview_blade.png b/windows/deployment/update/images/uc_workspace_overview_blade.png new file mode 100644 index 0000000000000000000000000000000000000000..18dce5e83156b5e8904ff9e72a54f69b39f943f2 GIT binary patch literal 16055 zcmeIZXH-;Om+wnX1x3z+H?Qrf6X2HNJou~goy+T3yVxc zU0ELs3)>M33rCR%2l!@XpdJJK!uHZvdw^9j1o;Vkz#*vbNMfE&A(2tVxm(noT{_HBr6V@;?jxyz z$P(|*VzLYCr#a`peWvBszt!ZP?=>A98}#>lnzr!&9XM2Te4KOs%|FxaS%NT%3KT7j zV){=v8R8Mklc5RHlfo3}9-Y&?>T8_6RJ>IXxA$ z;R<9N^S$g|$1J`j?t3Z@6@Eu3P{8-bzQDQyRq1BkDHsRK76HR48QeLnJQ%}?hw}R| z3BSH_%f6kBoJO&1`;J?%bw`u(uWL*Fdd(JUe%ohPwJ1Y~YyZiHL&nz)8gR4M*OMrZ zf}Zbf#|6)N(%m_uk5hjw$llFFvv*W@Th*5c7;%zm-DS(@L-~CX8u8H!8FVbm3TsN> zA!45H-FZH~KJl@hcl6p9moDOGNk52_)(lavY2SVxGb{!?E3 zMP9Jh(3lc5UdqxXZezt=+IPbk1#w1=<_M|P zAl!hSqWcawbCF8!rU9ZfE17yN!ZC2_=^&2Nq4vHCqlco2HFNzUz10jV22B2#4~9$v z^@X7w*bJC8KL7UQ_+OTfXS=1VuC#S2SK6TBizQ<_Q}%a1_=9ra_Jd*z{jS?8_#Uck zaP)Fn*)3kGF?r2&FPXuSa9@miqxQ~rk7PJ^Ldy?-)Yp^5y#zQ~I`P08wUl~Tzb8B<8ljeRgh;!95$kLTz7V(jYsOl6aOBEgntq-?q z-|LT^YWgr`%J!-u1no&iiT=s0xA^)stX4p2)9%qUj-@zKNJl=J;G!AAE9^XnduS_4%7SWK2v;HoN293jyN*e;XY*pZfApjC&!0v;3zt{bcPs zBej_NdscId8xJYp>hI!3cQw;uX6#G?;#{ni1V~g;Icy_EW-`nyDBWY0cFQ_UDuo5a zO?dM)6Zx!_3qf0~Gd?QCF%9{}4srY2hg*^oDMC!HT=@o2^>1F~k{QIsno5qV%)}IS zf)2iwnjHu`jb5P}qwk3> zQc>1i9Uaw(op%MB*uMgzhVSnZ_iBYib}|?w{C_ut>QIYUKkrDug;9h~-4cH9b+TCl34Bd}YvK>3WWT z;y*gsVuaA7-5u7vGe_y}T2tQqoVl}UgJo72AzIGK5OEfehCUg>xE<)AUV`l+J(P2~ zU6AzM>rdbTChz6qv*D(#x0NVifeOE2|4E-sx6d3@Z-mpFa8jl$w7N9;j}+{g}IVdMaXgg>vO$YLbl(YH%UgnGsfydh1>PrJ_;+YFm2g;0oM`| zJ0B>z_;xWt*-wVtJI`NX5o+h$Q8gJ2TCILZzQ{2qhVJTY`@s+z&XwhJD@yCH^AGve zIeO@8u3|#E^e-mPmQ>=7FE4!F`@|YchP>9B3hU_AuWqBFcI#rJN2kHdN#N%Mym!F=@17W`zjkgLAfW>rDC(0LjaMfFR}4wZ4?!cG|Cejl z6rkW+GJfs&^kNCZ?*8-hb#C)%VQ9oXTX4j3IP1mj)O@EbS^w+HV-B448e0Z2wCkN3 z0f_(ccBHg2MuA!p>PPi1jKQ`JVN4Hxs7eEliHzVtCkUIOwLsCg1R5ebbs=c2NF-gN z8+ITKll*eXaGtOOAJPd!5wH}Zk0rr&=Sr>{;Uvu3VGT#}{O9M#!Q|!ydRt+d!D$_> zk9S+K90qC;N!;MO_{tG2*Z4xVsG$HNwSf8%qmzYYA%}*62G~v`mF)A76Y|p&!Oa9D ziPwIYVl|c?^rFjpzz{)>2~pT!J>R=AGy(V-A^;Em@KO6A_TtVteQ>VL-_~shw5)+! z-SFmq|Bp1Hn;jm&B&W8T4_Qhb%dgl1W}GlHjV}bR^DKfXK^Nqw45B^`m$BgrJO{d- z3j7z(4$)faQWW4`Wf~&cz!TOzVFwey_r+88VkH`|ya$6QEpYC)DOTSzTtx@Kkg{{Kdb)Dl=H>@&Pwgl7q_8AFdr%C4tPUm1lk+fNN|kwgbs+A6iJZC~&H zR?UtU=bn>^8g9%{5ok*g*?i_3iEBz`DU*q2*b)s=v8NuUbY-XBsK#-cNgZKX>(t|_ z2WGB*beHM6g>G<9MyOZ%p=v~t->u|ME(Q1Hgv;8+L4tAd9|)-bG`s&cGl!Nf4o23A zY5!%xz!}mUgZ0h%8%pLHR)znCvU(nE%+UbG%7DbEyLPnmU5thZe>>CW$Rgy&>ZY`o zdz8^YL@mUr-G!fIAdx=$m08rn;e5*}#pQ=2v>3A!BjQKaB=zvYqUc{HVR^zC!Sp$k8<=Vr1XM1)6>qc;*_)>Ter&uy-)4R~`C>v$C2 zRPjJ5z!sSCSn?lt@x336M85RleMHfmK@=p_jiPc_&uDhJ@zeLt+NCP;P_(fl^fE$Q zqh7muct)8%VP|lk_W9KnOFcp* z6U|_&MSOtGi(MXK1CPMH4kx5-rzUFg7e*tfHgFBYN=AvIh0%tiL_O|5&i}YcWR@@7 zrElx7u9=NuTE#Jfx=PGHDlo$WMGrbKJEww#457(hgG%=eVEwL24htVNPimT3V_(3v zVGFH6ii&8~^X|_WnVJh4YKqwAm=DFbqZi*Q8P;SK4d`WLP#cwuNQ27F^cgjxoSPIF zUmM^>VPbSWT4x(vFOCvtlrab^_4LD3Cb|BoGD6 z6Pnbjsa^Aa>n5HMm&RK=#BPw$(5Eh@{3v(&!)+0Ri1sOxx?<)9CMyi0>rotd=xvMD z(q>`Hm<@ZkJ=5fzD@%vcq&TQtCT`EaZ2fud6ZM)@&0m&-sl3hIi(GKyvhNsH)DjZ&O{qL?D3~YSm8TJEw!(s zBPxW%eHz?q_)gX7DE3-UBDj=!&4_;XM4>g&Qi$!(aKpGLzqmGrt}VZG%+08r@G)Fl ze5SrV^G6X*a6ZRO%Fgo#5{t3n=H<){5UTJ!3{3PLWB3PR!g=Au{BALyuRRLSm&D_% z=sgZQFp+s6Ing&fKYUD<6m-mQ6&f~Wfs~AzT<8#JJ9P9Ib; zyMkS8t+cqAd3=llNl=$V2i=t$soyiYH)H{B@1u3f#;5bLt1g4rP**7GIBmoYP8s*z zc}sa#I|EW{HY0%lp;=-mg?hQx*aE{vbYNQ+?4*@~{Bd@3j^%DfE3t-VeA5u)YFoT} zFCn2>Ou3KU8FevrFEgrFOelvUJHbyW--*N|OO{Myu*BHLm}!h=;zNaI_#wa66MF(IUh7aJU1#UzRmqBb9J%{ByI zdbXn2%bWQ>Sn(sGMpDhd5kD{5jB?XTy4jt8Slnma2SJM1t8cfue>HrUb?2>3a#0^q zAVT$PEm>+TS3q-MahRJb=^s!r1-ShM{U6zYrjDIk`w85TFj>OZZ!ZU|1tp_1Le6;{ z(4x6qDx5=My^d`RswVNhHZ2Ve7mhLg(==vMTw{0ImS}{*N)b9t9YrK!l>E=E-v~uV zp#qGr12s`3tNaKS+L_F>38r_}Y4r~nGP0PyHguL`E!E9d@6O-1`2ce*vBn0~XfAED zI#QEX&!TKnK~|WmSy!b5Pi%gOM5fyZJ%P5rV#R)QZmU(ztgGzN7(x}A$0XR4Eb1ze zd2hDZ;Jr?cjK*(<%NLKqEYhhWe|@{Rw^-S za@ELtedK<9wDLw5MVdM2pn3GoYnVmK6K|p5?^sa-n{lmkHcf|Z1^%*%1ODD`=b}#x z_OrRZKHqb1TPzgF9ITs>_yU7m&ILoyk#1G%Eqka5`<4CRt%1)*(siFXv`8<9izUDsHzy=@ z;Zj~sVZIezZ7AYvO~aMoRQ$j>jaZ0g^rLNMg(ls)+r3DlCG*J;r z?bC!B%LQbZx+ZQToRH&JB;)|aF(?{N7$Lqalg4w8snPGDwU$z{b_EH3zr*x|iA21z z{9{}Cy~lB-3AC?DJXFEJDs)teEVuxy4P7|fm4>&TeXA_0Hs`{GBo*N2QZlehn~Ww; z(LTkeo8Gk*WlFLX!JExYeC6t^oxK*Pq%V$QW2J%ls?Qxf7Z0(ugyJIuVU*0Fb1BXrk{Ye4&AbUurGPtO)t=N zl5i5V^Et@B=a0pHH2GETdxOLTV3o`=HSUqi_vxnBwPNnIzQlCHEDq-+ufDfl$P~?5 z(SbAF?1HaWDokugCP|xf7u)%nvo^{t+(Q`urPcZf=@q| zNB<~+_jeU=FAH8A7F=s3_?^Ud3J)!w?l8ajG-nMsIz+4%Cwek_eWnm6Soqi}IErDa^^x_;3$2d^bEP@^k242Uy&gn20%V+1Dijlm|lA>*BEWaI#S_fEE%T zr(0J&9lHjDckxwDmW{e-rGiOKPNOszh<=}puvVUVJ(^98TxMPl9wX2>^O_V`X6@d0 z*Ec0=KARs8T4sF**1F}$Y*95;=ZT%^f&1Punbd5k)Z$$AD&tEK_SV#JpcE>bJnB8^ zrGwh^_*7~nZVC3iwl(IH_e*{p=fM(nho(|PP}tF+=}K}RH9vH2?OssBQTF@X)`Q=F z(36*Ik@TBShhDVom!#J1NGOY28Bl}e?kjJ;OiX4g51y_-R$=I#L7?Yr_dL~CiRmD2 z`*iX?=ehDPk22)XR@^U-z-G&QmVsZ@+^@~f%DgdddCqO9i>~%Rk4##1+qb*U)s_vS zGJftVBV(4|&P#*Us7ngfXrVMbcSJ+KYH4=%<7IgI5pUTm$16YWi`8aiH85Vn`KrD0_I{^l!wqMTetaX&O8oa5}VI&AFq( z3Z4#eAWiFZt8sc#2jvf`rSH zQl=^=Igdq%O>}!7u9ThN*vJ+Y7~ct@f>wX(xd~$+U>|zhYgE{uR8*yNgcdWtHZpN3 zRD;?CZEo$^qRPZ;NKw^viC=2SFL&K;97Vx)KwLVu(s5$0;^^fT*YCl7EA0+A5Mn$s z4@l0GZIsnRf#`7xe$h{bV?7;Ej(|hJs0$0!MSv7=)X8Ni=YlPLigqiwCf_|%yz$!q zI^d8sz^eY{>M^P%d4R^wj#=yY$CtjwcAhShb@IF>HxLOlk--uRB7XelROCQ}P%g_T zS&l0*=_vz;M@*RyKae;fELBYeEvMxD5BmFHhT1`pd@G14Sfj-a+tv5xHX1DZN67d) zaQshh%c&CIaO(=(yZ3vcHF!8jHi^kr3%d)O%H!f>w?HjPqQm3YL@}=INVWSy3oE0o z7S=~Bj}T>kK|$90zGak&wMau4bfh(2!ATa~NtB6;be&MB+jGd+&vGJB`?gw( zvITm`oF0GkXANlj=tATHoiW59{9cYSuo^jsF%F&%Ohha1dcM}CPyLO;OHMQpY3mR`LNNaI1q-CYE3jM zZPcfZal%GF5sf!EDBETEY_H{|D=|o}iyF{@^I6Ebe+Mzu@xLhd75zE4 z^p)GOqt6S+i169#8s#sP9?%eAdW)adytn_H823aV$wd?OHvMkybWTO8`DlZ~M8<5l zGvtA7S5~gpzG!0o`6rJrF4o#TBypQClwG#Q^NsrN#QyzW4;V0|sF*6vjE>3+qL0L^ z=rE5v9+6nY&SSbteXB(z<+r21a)OiOELO?0ge^cBoaT*Ei$LIG_Cvh`pfrpXCyoO?0PUI+|DgdJom|(a(y4CJAe&Pc_J#)_O*kyYOj}WmRuh zpdkzy%U=gidnY0|e(M;G3#-mE(G6?B_eXvS!1g{$T5=DY$hhLAPMz zMW6il!=ETwZX+n1(PL*(@cHRPZu3P){L7Qf4Ft2?g$IG*s=%J1)6WF1)9aD#jn=N?0lVnWa{WAG z-#61Fp0{3MWmGntP|4{$5QGg;&K~}}kAT^{L>6pcmbN-XJlH>5_yQkv`EiU*`d)02 z_KNnYc~8Z&pdbp{cl@q8@kK>NneHv8k@OahbGTJ722rX+%^wHgtbhRBP*L)mouO_v zHPN8p-M5uNWRzLK61yiMYncmI0utDT5h^Exf(} zPVn2#lQ)lY{L48`3|2s1J+K-jf4?QaPx)*=@%xMX)5bq78QQnMwBu@0n_!dkJR(F( zJ(6-A%ax8MXZ`WTi@Vl#y24!BQGA>x@q`-z|MqJBH*WABW+#T3eaVasmJ`sTI&)4_ zwU*0|uQMN+#k=SANeDS{wF7k9Ek&mVLw-6fA#+(*C;~rs{4qE%wZK{UqwxH|wSyac znU~(mts300$fMLci;eG;Uy4M*HfF}#Ef}wKWfl{UHA$%)uCdhD+uu#IJ^tGSIL_n;oh zTYky89s?bgWu$s!LP{N@`zMdW8o#xMPH7?VU(p$Vx+-s-(a!cLc;1hf+JOxdkUNVt z&BKq`ubdcrR1- z+7okKikZ7wwp{GaHZ)!_BF4!3`~d&$6~-<;Do-V)uof8~+YwRh((-Aawnt6k;7L_p zJxCumJDA+E3~w0QpUa@f(Fa2+xX)nqGWfd>l_0d<)v%F5T|{mG)TC}Zwhw)rxZmOD zbTA3$V|**LX?#LQ&pGBO7YA@ zRhMtV<@E5r?l{4F+e;g)%3T!Rd}UwtrnRnAQ1)3NCmxGE&MlKllO!43YYsQ?F;(Rl zRGugyK(xTD2zShFtkCfx@2UAez> z&)$UBS8;FJTAMD(#l0VbPFHX=M;`jiB;m~LkpkmnuG{9K0!4*9Xi$=VF-3CP{%(uR8l zybh&^x8!PrX5n6Z#75LvUL_$&OJJ|5Spk1Xc|?o=cp6~=AI*0fV|m%CVEkA>B-9fB zAJ>#dEU$chqp7KRe*9;l=Gib%SYU92lo0u#i;dBO1XvazXSXqUZ_R)HqlRXn4&hgT z+@|dB@4r!`B9;$+jzYk0x zt8d9~Q>Lt@%isJO<%dKKq`_e49f-C{pH&BY9U7W7@83bE(&p4!cqWlb1vBuc?V(N; z>RNn)%1RAsgsF`Cw#9hkQ47)somc^{VxzZn5n{ zKPrW3W#Ys!FOt^1P4DUlCbYcom&{}`sm;{sd#y!cI}4JYp5i`(Pls`7Og|s;a@g+F zBe4Hg{OvMs1f%fWQDvnQ@%1}vV7{2iX3B_19EzO>Y>-0po=tA&K_AKLp2_r+G?Vr6 zcqt*Vo;R8M*+^<|-X+<1Xl$khc*&!upx7%+yYhP_MtZ-{Ctq1Q*W(ksD*|PESh7;% zvKZN=W%Q*9q3a?Yr;q#0wb@4x+9!_KPje#aY3f|=QgR%485wEoc|(2O9l}y{iTF1Q z_eJ2(?RbmN)b5*n0&^bU4<#W|ueRkyBYq?WEzxz2`hU&*v3uDp?j)2&JhSx8ZZ06y=*lMY90_YKdvjlyd>san|fX0@- z;OerH%U%#Qu2FtKAN`)MY(AR903wi(16~9coqXZRPXk?1qV=5=4%mSUKT!Yhv8{D2 zkk#)xfz>)dC)7egyrdRD9<6;mY|Vw|LcNyPp$dy%m%MUY<8wXQbaLe`Z=hG^^@dmS zY0(ovaYAQN1Ehx&P9C($b^^V@Wn6i&z~jl*;FS$wKqCtuW&tU@y`eKkPRJeBvl(qa z($MgA@D;^z$F!N}bo#c#9~qGw?Fz624mci-Knu;B%`@JdL@+yuQ0i&x@#TWwVmn{u zOV$g4cSsO{^9>xWy)Uo2ln=@$jwDwjXO$X@coNbA0GZcuwq-eN;=h{Ii0B zNELyM+RpUAA;{|No?z&Es;^nRbsIzl)!>qhDL)m}#*E~k!UIJwa{b%p z#|4Ge5!%9Vfa?lp`1dDnp}*1|t86AMmaJXB1U@?}quFZNkFUJW?$?JPdwV{x++Rq$I&o`Z_`qcKq~&qw!r>}qW|Y%_ zva&YZ2CT=$=k>W8BBSm2~#pw=Yh_WERNdgn8NGv}j9 zMf2U4+KM_RPd0KX!Sr;2M@zIp#*c1~Nk7q?41APw5_Bk7_ROM2C#sa-=1KT6#I&6* z_L&iLijFeUgQHK8e#vi@4iAQ?gzziPXB_;$!B9vJ2`QD&r!_U!L^SV=fzTQ3gbn~9 z1~4J*-z3zUHC-0XJBcOA27waHkbRRCdd?LFW!EnF{Q)Faa3&PmX)ogrLlgukrw$PD zM2qS_pB1a~$sXm7yUhrcS4sIjrZ4j$a}<%vw=%|V&tYr~kn)QZv{igpyU}yo9h|Xx zj{pAG6S!)Ik3lJu)mcaA_coS1H=1MWu2Lukeb3Di?Wwc)jCG%l%f79Sf=&5dz* zS9Lw!+Fhw5)g`7>$j@R5j#apM3#7@}PvhDsgt6LH?0lgT^SPt!jd`Q*ar9E%j1*(Fv0p(@}Z;tS8>GaT{fLB>FgO60Kz8z#FCowtjQ>gS3L8p^^cy_Xfw%*++zN;?nMTpRp9mI{UyL zqCYgoRM=Up*rZa1TZ^bIiHYFIzVJk|fi&GA{x5%fL^=u79NvIW0nD`U9=@$ZX|4oB z(l|JqVO=3RR4;Z?ML9zqcKb8*QcQ5kK0>D{&2g1vnSx)dSuE$57^sXCEnThzWqCDe zNM9*T6hUDEJ9qNpDAfmlG!>*3KiF@ujS`FClelTmJ{ zu7gMpq_0MtOJ&tpS^B`XdqnZf@s!901Vr-A=#K;y_PLR-wQ!o~Vwz)FZRF}FQp!Z5 zxG17w?gV!DVZL?~1IrUrMaljVPu(t0hBVcD{7A%VHgDCIiD0%U2D3jzBe!KRT~LZF=6p$ic7 z2=CR~9%pNxZ_QQ)9J-`Zo#@JZq4Bq+9%k`7^V`6v&4?!{h}XF<1pWRr4W0&e{De7f z<5iuob^oo%0jgAJ0juGDEN&mpb;fbv;-zFz#I6)RAgp~DyXiehjmIC@*nV4{Kl=ZG z;O?K>e}Q1X<*{l<)Wz9RhR?`+hNuiw*xW$3ZAV}IO;PL1Y;6LIX*&gxN36q?7vf%* zIEbKr&BbCo582F}*l@XAv$e~o>bt4$7Pdmd#6~Bz44?~G9FXaoZc-lLD1{9@W@PAruEQqU@%H#}8f%Hfgo>e)ugUVYNDTbid1L<>&` zSBof%w~-R7O}Exm>CM|ONi#99O^ga!P~f`xrpS8X84%y!r$R?Qy9aeA4c&DUD+_|cqnTpNaN<>jpxiD5E^bH0we zWcFVacOP;;(ZsbC46NYQQ4>=k=Ig?PX5Agq_hGwpS%k;_v6evWrBX!0iZ`IFJ!$`# z7lRvZ23>ZrEe3=n>Wlj>|bZSkn&77~H_mKafo)BMysB$ntfo23_3PKbnpC*o}f zK*?&T=|fY_ZCZ-YpoS{Ui1H)KBk+PRq@!XZ{3>*nrbzHZxH&K{aC2V$CsCg&2p#Dp zG<12+I92|BEg&Y&}8> z4ioJ*rwx}el(8c1=z&dj@!7@8ZLr>b-;-p;U*_}4PesVW>6#zbcStb=ymN4nPF0>_ zp8Sr;X=iX8L8%kGhtC0C}4* z6<@_z3Y@xdriv&QVRc0`fxP z$$!;o8AA^mnX3-GuGp+5LU;erk2&Szs-Jd7PwR-OOuf`~##DN??c|711>=XOJeiWJ zM3RitfJ;=z8U8ex{Jwkqt<4-U7WLqz;fxE=wKg2o(LKr46lm)3**%J~5hqg*5_V zMTP##@3i2uns%<~80F$(QlE$jx1$@yt>fLNj72&L1G;ZK<6ENEn3Tjv19ne0`})IR z^#l^3RJDaUE}_Eg6i&@z6!f~>M_fSpVu8^k%6Ik$-^QlSDV}x+h|;3CATz?NLrTe} zW|=&v$|<)9nKchFg@I|#Xw0`fNA&IJ9&-VkjD{84+p68&oQ9B72<@9sdxpuB(v(G` z>z}NM0`Lu3D0`?>mtLtOd6J7i_9}A0(<$^QzS@hcE;TiguRa7`0VwANyK+2ltVgcc z5(O}E$bti*Yh#ezIe>`VzShjYESXZ--8FTi!AT1DD5P8o-kwsKl6#~1&<%-{7|GLMUY#{AQ|9FsyB6(VZ|V0wY%Kr zCSOjVAdNp9x}UJ?X|4ghskG8G} ZUF6sb^2TvFfS1j&G*onyD;`*d{Wl8Cisk?S literal 0 HcmV?d00001 From cf1afe2a2abde259c59b1b7df5a3e8324bd2109c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 16 Nov 2021 21:31:15 +0530 Subject: [PATCH 006/122] added windows 11 after reading this article, i found windows 11 is missing so i added windows 11 I need assistance from @JohanFreelancer9. --- .../identity-protection/access-control/local-accounts.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 6ad17afded..c285a90fc9 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -19,6 +19,7 @@ ms.reviewer: # Local Accounts **Applies to** +- Windows 11 - Windows 10 - Windows Server 2019 - Windows Server 2016 @@ -73,7 +74,7 @@ The Administrator account has full control of the files, directories, services, The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. -In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. +From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. **Account group membership** @@ -558,4 +559,4 @@ The following resources provide additional information about technologies that a - [Security Identifiers](security-identifiers.md) -- [Access Control Overview](access-control.md) \ No newline at end of file +- [Access Control Overview](access-control.md) From ba2224e322f231f819743869df0e66fb4d1385c7 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 17 Nov 2021 15:48:36 +0530 Subject: [PATCH 007/122] Update policy-csp-admx-terminalserver.md --- .../client-management/mdm/policy-csp-admx-terminalserver.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index ed42ebde3f..1ae14c6f68 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -33,6 +33,9 @@ manager: dansimp
ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD
+
+ ADMX_TerminalServer/TS_RADC_DefaultConnection +
From 2cd22d65d75e7333f540416fbe0c84a32f23413a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 18 Nov 2021 10:14:07 +0530 Subject: [PATCH 008/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 1ae14c6f68..2833f7d9f9 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -189,7 +189,79 @@ ADMX Info:
+ +**ADMX_TerminalServer/TS_RADC_DefaultConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. The default connection URL must be configured in the form of [http://contoso.com/rdweb/Feed/webfeed.aspx](http://contoso.com/rdweb/Feed/webfeed.aspx). + +- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. + +- If you disable or do not configure this policy setting, the user has no default connection URL. + +RemoteApp programs that are installed through RemoteApp and Desktop Connections from an un-trusted server can compromise the security of a user's account. + + + + + + +ADMX Info: +- GP Friendly name: *Specify default connection URL* +- GP name: *TS_RADC_DefaultConnection* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
From 769d57be92be5b607b8ccf2aff46d27f2f2f50c7 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 19 Nov 2021 10:58:04 +0530 Subject: [PATCH 009/122] ADMX terminal Server Missing polices - part1 Added 44 policies under ADMX Terminal Server and modifies existing content as it was incorrect. --- .../mdm/policies-in-policy-csp-admx-backed.md | 44 + .../policy-configuration-service-provider.md | 132 + .../mdm/policy-csp-admx-terminalserver.md | 3434 ++++++++++++++++- 3 files changed, 3594 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 6256ffe15a..3b44f8e00e 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1131,8 +1131,52 @@ ms.date: 10/08/2020 - [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) - [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) - [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) +- [ADMX_TerminalServer/TS_AUTO_RECONNECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect) +- [ADMX_TerminalServer/TS_CAMERA_REDIRECTION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection) +- [ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy) +- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1) +- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2) +- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1) +- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2) +- [ADMX_TerminalServer/TS_CLIENT_AUDIO](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio) +- [ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture) +- [ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality) +- [ADMX_TerminalServer/TS_CLIENT_CLIPBOARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard) +- [ADMX_TerminalServer/TS_CLIENT_COM](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com) +- [ADMX_TerminalServer/TS_CLIENT_DEFAULT_M](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m) +- [ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode) +- [ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1) +- [ADMX_TerminalServer/TS_CLIENT_LPT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt) +- [ADMX_TerminalServer/TS_CLIENT_PNP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp) +- [ADMX_TerminalServer/TS_CLIENT_PRINTER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer) +- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1) +- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2) +- [ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp) +- [ADMX_TerminalServer/TS_COLORDEPTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth) +- [ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles) +- [ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper) +- [ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu) +- [ADMX_TerminalServer/TS_EASY_PRINT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print) +- [ADMX_TerminalServer/TS_EASY_PRINT_User](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user) +- [ADMX_TerminalServer/TS_EnableVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics) +- [ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype) +- [ADMX_TerminalServer/TS_FORCIBLE_LOGOFF](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff) - [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) - [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server) +- [ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory) +- [ADMX_TerminalServer/TS_KEEP_ALIVE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive) +- [ADMX_TerminalServer/TS_LICENSE_SECGROUP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup) +- [ADMX_TerminalServer/TS_LICENSE_SERVERS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers) +- [ADMX_TerminalServer/TS_LICENSE_TOOLTIP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip) +- [ADMX_TerminalServer/TS_LICENSING_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode) +- [ADMX_TerminalServer/TS_MAX_CON_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy) +- [ADMX_TerminalServer/TS_MAXDISPLAYRES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres) +- [ADMX_TerminalServer/TS_MAXMONITOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor) +- [ADMX_TerminalServer/TS_NoDisconnectMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu) +- [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu) +- [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade) +- [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp) - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bbd3101f94..fa5d7a6fb0 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4067,12 +4067,144 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ### ADMX_TerminalServer policies
+
+ ADMX_TerminalServer/TS_AUTO_RECONNECT +
+
+ ADMX_TerminalServer/TS_CAMERA_REDIRECTION +
+
+ ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY +
+
+ ADMX_TerminalServer/TS_CLIENT_CLIPBOARD +
+
+ ADMX_TerminalServer/TS_CLIENT_COM +
+
+ ADMX_TerminalServer/TS_CLIENT_DEFAULT_M +
+
+ ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE +
+
+ ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_LPT +
+
+ ADMX_TerminalServer/TS_CLIENT_PNP +
+
+ ADMX_TerminalServer/TS_CLIENT_PRINTER +
+
+ ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP +
+
+ ADMX_TerminalServer/TS_COLORDEPTH +
+
+ ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES +
+
+ ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER +
+
+ ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU +
+
+ ADMX_TerminalServer/TS_EASY_PRINT +
+
+ ADMX_TerminalServer/TS_EASY_PRINT_User +
+
+ ADMX_TerminalServer/TS_EnableVirtualGraphics +
+
+ ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE +
+
+ ADMX_TerminalServer/TS_FORCIBLE_LOGOFF +
ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE
ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER
+
+ ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY +
+
+ ADMX_TerminalServer/TS_KEEP_ALIVE +
+
+ ADMX_TerminalServer/TS_LICENSE_SECGROUP +
+
+ ADMX_TerminalServer/TS_LICENSE_SERVERS +
+
+ ADMX_TerminalServer/TS_LICENSE_TOOLTIP +
+
+ ADMX_TerminalServer/TS_LICENSING_MODE +
+
+ ADMX_TerminalServer/TS_MAX_CON_POLICY +
+
+ ADMX_TerminalServer/TS_MAXDISPLAYRES +
+
+ ADMX_TerminalServer/TS_MAXMONITOR +
+
+ ADMX_TerminalServer/TS_NoDisconnectMenu +
+
+ ADMX_TerminalServer/TS_NoSecurityMenu +
+
+ ADMX_TerminalServer/TS_PreventLicenseUpgrade +
+
+ ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP +
### ADMX_Thumbnails policies diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index ed42ebde3f..8e10cb601a 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -27,19 +27,150 @@ manager: dansimp ## ADMX_TerminalServer policies
+
+ ADMX_TerminalServer/TS_AUTO_RECONNECT +
+
+ ADMX_TerminalServer/TS_CAMERA_REDIRECTION +
+
+ ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY +
+
+ ADMX_TerminalServer/TS_CLIENT_CLIPBOARD +
+
+ ADMX_TerminalServer/TS_CLIENT_COM +
+
+ ADMX_TerminalServer/TS_CLIENT_DEFAULT_M +
+
+ ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE +
+
+ ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_LPT +
+
+ ADMX_TerminalServer/TS_CLIENT_PNP +
+
+ ADMX_TerminalServer/TS_CLIENT_PRINTER +
+
+ ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP +
+
+ ADMX_TerminalServer/TS_COLORDEPTH +
+
+ ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES +
+
+ ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER +
+
+ ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU +
+
+ ADMX_TerminalServer/TS_EASY_PRINT +
+
+ ADMX_TerminalServer/TS_EASY_PRINT_User +
+
+ ADMX_TerminalServer/TS_EnableVirtualGraphics +
+
+ ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE +
+
+ ADMX_TerminalServer/TS_FORCIBLE_LOGOFF +
ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE
ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER +
+
+ ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY +
+
+ ADMX_TerminalServer/TS_KEEP_ALIVE +
+
+ ADMX_TerminalServer/TS_LICENSE_SECGROUP +
+
+ ADMX_TerminalServer/TS_LICENSE_SERVERS +
+
+ ADMX_TerminalServer/TS_LICENSE_TOOLTIP +
+
+ ADMX_TerminalServer/TS_LICENSING_MODE +
+
+ ADMX_TerminalServer/TS_MAX_CON_POLICY +
+
+ ADMX_TerminalServer/TS_MAXDISPLAYRES +
+
+ ADMX_TerminalServer/TS_MAXMONITOR +
+
+ ADMX_TerminalServer/TS_NoDisconnectMenu +
+
+ ADMX_TerminalServer/TS_NoSecurityMenu +
+
+ ADMX_TerminalServer/TS_PreventLicenseUpgrade +
+
+ ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP +
-
-**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** +**ADMX_TerminalServer/TS_AUTO_RECONNECT** @@ -88,22 +219,2249 @@ manager: dansimp -This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. +This policy specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. -If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). +By default, a maximum of twenty reconnection attempts are made at five second intervals. If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. -If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. +If the status is set to Disabled, automatic reconnection of clients is prohibited. If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. -Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. + + + +ADMX Info: +- GP Friendly name: *Automatic reconnection* +- GP name: *TS_AUTO_RECONNECT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CAMERA_REDIRECTION** + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of video capture devices. + +If you enable this policy setting, users cannot redirect their video capture devices to the remote computer. + +If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. + + + + +ADMX Info: +- GP Friendly name: *Do not allow video capture redirection* +- GP name: *TS_CAMERA_REDIRECTION* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. + +A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. + +If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. + +If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. + +>[!NOTE] +>If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. + + + + +ADMX Info: +- GP Friendly name: *Server authentication certificate template* +- GP name: *TS_CERTIFICATE_TEMPLATE_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. + +This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). + +If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + +>[!Note] +>You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + + + + +ADMX Info: +- GP Friendly name: *Allow .rdp files from valid publishers and user's default .rdp settings* +- GP name: *TTS_CLIENT_ALLOW_SIGNED_FILES_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ +**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. + +This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). + +If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + +>[!NOTE] +>You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + + + + +ADMX Info: +- GP Friendly name: *Allow .rdp files from valid publishers and user's default .rdp settings* +- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. + +If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + + + + +ADMX Info: +- GP Friendly name: *Allow .rdp files from unknown publishers* +- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. + +If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + + + + +ADMX Info: +- GP Friendly name: *Allow .rdp files from unknown publishers* +- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_AUDIO** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session. + +Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the video playback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. + +By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. + +If you enable this policy setting, audio and video playback redirection is allowed. + +If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Allow audio and video playback redirection* +- GP name: *TS_CLIENT_AUDIO* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). + +Users can record audio by using an audio input device on the local computer, such as a built-in microphone. By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. + +If you enable this policy setting, audio recording redirection is allowed. + +If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Allow audio recording redirection* +- GP name: *TS_CLIENT_AUDIO_CAPTURE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. + +If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. + +For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. + +Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. + +If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. + + + + +ADMX Info: +- GP Friendly name: *Limit audio playback quality* +- GP name: *TS_CLIENT_AUDIO_QUALITY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_CLIPBOARD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. + +If you enable this policy setting, users cannot redirect Clipboard data. + +If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. + +If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Clipboard redirection* +- GP name: *TS_CLIENT_CLIPBOARD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_COM** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. + +If you enable this policy setting, users cannot redirect server data to the local COM port. + +If you disable this policy setting, Remote Desktop Services always allows COM port redirection. + +If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Do not allow COM port redirection* +- GP name: *TS_CLIENT_COM* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_DEFAULT_M** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD Session Host server. + +By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior. + +If you enable this policy setting, the default printer is the printer specified on the remote computer. + +If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. + +If you do not configure this policy setting, the default printer is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Do not set default client printer to be default printer in a session* +- GP name: *TS_CLIENT_DEFAULT_M* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. + +If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. + +If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. + + + + +ADMX Info: +- GP Friendly name: *Do not allow hardware accelerated decoding* +- GP name: *TS_CLIENT_DISABLE_HARDWARE_MODE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies whether to allow Remote Desktop Connection Controls whether a user can save passwords using Remote Desktop Connection. + +If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. + +If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection + + + + +ADMX Info: +- GP Friendly name: *Do not allow passwords to be saved* +- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_LPT** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. + +If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. + +If you disable this policy setting, LPT port redirection is always allowed. If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Do not allow LPT port redirection* +- GP name: *TS_CLIENT_LPT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_PNP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices. + +If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. + +If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. + +>[!NOTE] +>You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. + + + + +ADMX Info: +- GP Friendly name: *Do not allow supported Plug and Play device redirection* +- GP name: *TS_CLIENT_PNP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_PRINTER** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. + +If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. + +If you disable this policy setting, users can redirect print jobs with client printer mapping. + +If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Do not allow client printer redirection* +- GP name: *TS_CLIENT_PRINTER* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. + +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. + +If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. + +>[!NOTE] +>You can define this policy setting in the Computer Configuration node or in the User Configuration node. + +If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. + +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. + + + + +ADMX Info: +- GP Friendly name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* +- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. + +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. + +If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. + +>[!NOTE] +>You can define this policy setting in the Computer Configuration node or in the User Configuration node. + +If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. + +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. + + + + +ADMX Info: +- GP Friendly name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* +- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. + +If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. + +If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. + + + + +ADMX Info: +- GP Friendly name: *Turn Off UDP On Client* +- GP name: *TS_CLIENT_TURN_OFF_UDP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_COLORDEPTH** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. + +If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. + +If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. + +>[!NOTE] +> 1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. +>2. The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. +>3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: +> - a. Value specified by this policy setting +> - b. Maximum color depth supported by the client +> - c. Value requested by the client If the client does not support at least 16 bits, the connection is terminated. + + + + +ADMX Info: +- GP Friendly name: *Limit maximum color depth* +- GP name: *TS_COLORDEPTH* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. + +>[!NOTE] +>If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. + +If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. + +When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. + +If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. + + + + +ADMX Info: +- GP Friendly name: *Limit the size of the entire roaming user profile cache* +- GP name: *TS_DELETE_ROAMING_USER_PROFILES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. + +You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 do not display wallpaper by default to Remote Desktop Services sessions. + +If the status is set to Enabled, wallpaper never appears in a Remote Desktop Services session. + +If the status is set to Disabled, wallpaper might appear in a Remote Desktop Services session, depending on the client configuration. If the status is set to Not Configured, the default behavior applies. + + + + +ADMX Info: +- GP Friendly name: *Enforce Removal of Remote Desktop Wallpaper* +- GP name: *TS_DISABLE_REMOTE_DESKTOP_WALLPAPER* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. + +If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. + +If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. + +>[!NOTE] +>The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting. + + + + +ADMX Info: +- GP Friendly name: *Use hardware graphics adapters for all Remote Desktop Services sessions* +- GP name: *TS_DX_USE_FULL_HWGPU* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_EASY_PRINT** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. + +If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. + +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. + +>[!NOTE] +>If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + + + + +ADMX Info: +- GP Friendly name: *Use Remote Desktop Easy Print printer driver first* +- GP name: *TS_EASY_PRINT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_EASY_PRINT_User** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. + +If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. + +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. + +>[!NOTE] +>If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + + + + +ADMX Info: +- GP Friendly name: *Use Remote Desktop Easy Print printer driver first* +- GP name: *TS_EASY_PRINT_User* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_EnableVirtualGraphics** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). + +By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. + +If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. + +If you disable this policy setting, RemoteFX will be disabled. + +If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. + + + + +ADMX Info: +- GP Friendly name: *Configure RemoteFX* +- GP name: *TS_EnableVirtualGraphics* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. + +If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: + +- **Do nothing if one is not found** - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. +- **Default to PCL if one is not found** - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. +- **Default to PS if one is not found**- If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. +- **Show both PCL and PS if one is not found**- If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. + +If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. If you do not configure this policy setting, the fallback printer driver behavior is off by default. + +>[!NOTE] +>If the **Do not allow client printer redirection** setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. + + + + +ADMX Info: +- GP Friendly name: *Specify RD Session Host server fallback printer driver behavior* +- GP name: *TS_FALLBACKPRINTDRIVERTYPE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_FORCIBLE_LOGOFF** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. + +If you enable this policy setting, logging off the connected administrator is not allowed. + +If you disable or do not configure this policy setting, logging off the connected administrator is allowed. + +>[!NOTE] +>The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. + + + + +ADMX Info: +- GP Friendly name: *Deny logoff of an administrator logged in to the console session* +- GP name: *TS_FORCIBLE_LOGOFF* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. + +In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. + +By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. Note: To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. + +To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. + +When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. ADMX Info: -- GP Friendly name: *Allow time zone redirection* +- GP Friendly name: *Enable connection through RD Gateway* - GP name: *TS_GATEWAY_POLICY_ENABLE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP path: *Windows Components\Remote Desktop Services\RD Gateway* - GP ADMX file name: *TerminalServer.admx* @@ -161,15 +2519,13 @@ ADMX Info: -This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. +This policy specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. -You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. +By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. -If you enable this policy setting, users cannot redirect Clipboard data. +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. -If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. - -If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. +If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. @@ -177,16 +2533,1062 @@ If you do not configure this policy setting, Clipboard redirection is not specif ADMX Info: -- GP Friendly name: *Do not allow Clipboard redirection* +- GP Friendly name: *Set RD Gateway authentication method* - GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP path: *Windows Components\Remote Desktop Services\RD Gateway* - GP ADMX file name: *TerminalServer.admx*
+ +**ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. + +By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +>[!NOTE] +>It is highly recommended that you also specify the authentication method by using the **Set RD Gateway authentication method** policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite the **Set RD Gateway server address** policy setting and connect to another RD Gateway server, you must select the **Allow users to change this setting** check box and users will be allowed to specify an alternate RD Gateway server. + +Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. + +>[!NOTE] +>If you disable or do not configure this policy setting, but enable the **Enable connections through RD Gateway** policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + +ADMX Info: +- GP Friendly name: *Set RD Gateway server address* +- GP name: *TS_GATEWAY_POLICY_SERVER* +- GP path: *Windows Components\Remote Desktop Services\RD Gateway* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server. + +If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting. + +If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. + +If the policy setting is not configured, the policy setting is not specified at the Group Policy level. + +>[!NOTE] +>1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. +>2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + + + +ADMX Info: +- GP Friendly name: *Join RD Connection Broker* +- GP name: *TS_JOIN_SESSION_DIRECTORY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_KEEP_ALIVE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. + +After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. + +If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. + +If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. + + + + +ADMX Info: +- GP Friendly name: *Configure keep-alive connection interval* +- GP name: *TS_KEEP_ALIVE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_LICENSE_SECGROUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop Services client access licenses (RDS CALs). + +You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one. + +If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. By default, the RDS Endpoint Servers group is empty. + +If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. + +>[!NOTE] +>You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. + + + + +ADMX Info: +- GP Friendly name: *License server security group* +- GP name: *TS_LICENSE_SECGROUP* +- GP path: *Windows Components\Remote Desktop Services\RD Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_LICENSE_SERVERS** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers. + +If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. + +In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: +1. Remote Desktop license servers that are published in Active Directory Domain Services. +2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server. + +1If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Use the specified Remote Desktop license servers* +- GP name: *TS_LICENSE_SERVERS* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_LICENSE_TOOLTIP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. + +By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. + +If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. + +If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. + + + + +ADMX Info: +- GP Friendly name: *Hide notifications about RD Licensing problems that affect the RD Session Host server* +- GP name: *TS_LICENSE_TOOLTIP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_LICENSING_MODE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. + +You can use this policy setting to select one of three licensing modes: Per User , Per Device and AAD Per User . +- Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. +- Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. +- AAD Per User licensing mode requires that each user account connecting to this RD Session Host server have a service plan that supports RDS licenses assigned in AAD. + +If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. + +If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Set the Remote Desktop licensing mode* +- GP name: *TS_LICENSING_MODE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_MAX_CON_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, additional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. + +By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. + +To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999. + +If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Remote Desktop Services running on the server. + +If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level. + +>[!NOTE] +>This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). + + + + +ADMX Info: +- GP Friendly name: *Limit number of connections* +- GP name: *TS_MAX_CON_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_MAXDISPLAYRES** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load. + +If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. + +If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. + + + + +ADMX Info: +- GP Friendly name: *Limit maximum display resolution* +- GP name: *TS_MAXDISPLAYRES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_MAXMONITOR** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load. + +If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. + +If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Limit number of monitors* +- GP name: *TS_MAXMONITOR* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_NoDisconnectMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. + +If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. + +If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. + +>[!NOTE] +>This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. + +This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the **Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions** policy setting. + + + + +ADMX Info: +- GP Friendly name: *Remove "Disconnect" option from Shut Down dialog* +- GP name: *TS_NoDisconnectMenu* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_NoSecurityMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. + +If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. + +If the status is set to Disabled or Not Configured, Windows Security remains in the Settings menu. + + + + +ADMX Info: +- GP Friendly name: *Remove Windows Security item from Start menu* +- GP name: *TS_NoSecurityMenu* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_PreventLicenseUpgrade** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based operating systems. + +A license server attempts to provide the most appropriate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008, and will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003. + +By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following: +- A client connecting to a Windows Server 2003 terminal server +- A client connecting to a Windows 2000 terminal server + +If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. + +If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. + + + + +ADMX Info: +- GP Friendly name: *Prevent license upgrade* +- GP name: *TS_PreventLicenseUpgrade* +- GP path: *Windows Components\Remote Desktop Services\RD Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
+ + +**ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. + +If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. + +>[!NOTE] +>If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. + +If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. + +For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. + + + + +ADMX Info: +- GP Friendly name: *Prompt for credentials on the client computer* +- GP name: *TS_PROMT_CREDS_CLIENT_COMP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + + +
From 2728f29438458f6d694d286f0f178d603e2766c0 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 19 Nov 2021 15:46:26 +0530 Subject: [PATCH 010/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 1229 +++++++++++++++++ 1 file changed, 1229 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 2833f7d9f9..f4dd2966a5 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -36,6 +36,54 @@ manager: dansimp
ADMX_TerminalServer/TS_RADC_DefaultConnection
+
+ ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration +
+
+ ADMX_TerminalServer/TS_RemoteControl_1 +
+
+ ADMX_TerminalServer/TS_RemoteControl_2 +
+
+ ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics +
+
+ ADMX_TerminalServer/TS_SD_ClustName +
+
+ ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS +
+
+ ADMX_TerminalServer/TS_SD_Loc +
+
+ ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY +
+
+ ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT +
+
+ ADMX_TerminalServer/TS_SELECT_TRANSPORT +
+
+ ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP +
+
+ ADMX_TerminalServer/TS_SERVER_AUTH +
+
+ ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED +
+
+ ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED +
+
+ ADMX_TerminalServer/TS_SERVER_COMPRESSOR +
+
+ ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY +
@@ -263,5 +311,1186 @@ ADMX Info:
+ +**ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. + +- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. + +- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. + + + + + + +ADMX Info: +- GP Friendly name: *Suspend user sign-in to complete app registration* +- GP name: *TS_RDSAppX_WaitForRegistration* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteControl_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. + +To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. + + + + + + +ADMX Info: +- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* +- GP name: *TS_RemoteControl_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteControl_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. + +To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. + + + + + + +ADMX Info: +- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* +- GP name: *TS_RemoteControl_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. + +You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. + +Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. + +By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). + + + + + + +ADMX Info: +- GP Friendly name: *Optimize visual experience when using RemoteFX* +- GP name: *TS_RemoteDesktopVirtualGraphics* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_ClustName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify the name of a farm to join in RD Connection Broker. + +RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. + +If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. + +- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. +- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. + +- This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. +- For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + + + + +ADMX Info: +- GP Friendly name: *Configure RD Connection Broker farm name* +- GP name: *TS_SD_ClustName* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. + +This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. + +- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. + +- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. + +When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. + +If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. + +For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + + + + + +ADMX Info: +- GP Friendly name: *Use IP Address Redirection* +- GP name: *TS_SD_EXPOSE_ADDRESS* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_Loc** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. + +All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. + +- If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. + +- If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. + +For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. + +To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. + + + + + +ADMX Info: +- GP Friendly name: *Configure RD Connection Broker server name* +- GP name: *TS_SD_Loc* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. + +- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. + +The following security methods are available: + +- * Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. + +- * RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. + +- * SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. + +- If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. + + + + + +ADMX Info: +- GP Friendly name: *Require use of specific security layer for remote (RDP) connections* +- GP name: *TS_SECURITY_LAYER_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). +You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Network Detect. +- If you disable Connect Time Detect, Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. +- If you disable Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. +- If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. +- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. + + + + + +ADMX Info: +- GP Friendly name: *Select network detection on the server* +- GP name: *TS_SELECT_NETWORK_DETECT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SELECT_TRANSPORT** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. + +- If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: +"Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. + +- If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. + + + + +ADMX Info: +- GP Friendly name: *Select RDP transport protocols* +- GP name: *TS_SELECT_TRANSPORT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. + +This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. + +- If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. + +- If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. + +You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. + + + + +ADMX Info: +- GP Friendly name: *Use advanced RemoteFX graphics for RemoteApp* +- GP name: *TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_AUTH** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + +- If you enable this policy setting, you must specify one of the following settings: + +Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. + +Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. + +Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. + +- If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + + + + +ADMX Info: +- GP Friendly name: *Configure server authentication for client* +- GP name: *TS_SERVER_AUTH* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. + +- When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. + +- If you disable or do not configure this policy, we will always use software encoding. + + + + +ADMX Info: +- GP Friendly name: *Configure H.264/AVC hardware encoding for Remote Desktop Connections* +- GP name: *TS_SERVER_AVC_HW_ENCODE_PREFERRED* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. + +When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. + + + + +ADMX Info: +- GP Friendly name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* +- GP name: *TS_SERVER_AVC444_MODE_PREFERRED* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_COMPRESSOR** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. + +If you enable this policy setting, you can specify which RDP compression algorithm to use. + +If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. + +If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. + +Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. + + + + +ADMX Info: +- GP Friendly name: *Configure compression for RemoteFX data* +- GP name: *TS_SERVER_COMPRESSOR* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. + +- If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. + +- If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. + +- If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. + +- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. + +- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. + + + + +ADMX Info: +- GP Friendly name: *Configure image quality for RemoteFX Adaptive Graphics* +- GP name: *TS_SERVER_IMAGE_QUALITY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ From 1cfda485a318989004cfe1df843eb6d1537d77eb Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 19 Nov 2021 19:24:07 +0530 Subject: [PATCH 011/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 182 +++++++++++++++--- 1 file changed, 158 insertions(+), 24 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 9febc8bf46..b42aac7547 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -173,6 +173,7 @@ manager: dansimp
ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY +
ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER
@@ -2661,7 +2662,7 @@ ADMX Info:
-**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** +**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** @@ -2705,44 +2706,28 @@ ADMX Info: > [!div class = "checklist"] > * Device -> * User
-This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. +This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. -You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. +You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). +If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. + +By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. -Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. - -By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). - -If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. - -In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. - -By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. Note: To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. - -To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. - -When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. - -If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. +If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). - ADMX Info: - GP Friendly name: *Optimize visual experience when using RemoteFX* - GP name: *TS_RemoteDesktopVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP Friendly name: *Enable connection through RD Gateway* -- GP name: *TS_GATEWAY_POLICY_ENABLE* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* - GP ADMX file name: *TerminalServer.admx* @@ -2750,6 +2735,155 @@ ADMX Info:
+ +**ADMX_TerminalServer/TS_SD_ClustName** + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. + +Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. + +- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. + +- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. + +>[!NOTES] +> 1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. +> 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + + + +ADMX Info: +- GP Friendly name: *Configure RD Connection Broker farm name* +- GP name: *TS_SD_ClustName* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. + +- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. + +- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. + +If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. + +>[!NOTES] +> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + + + +ADMX Info: +- GP Friendly name: *Use IP Address Redirection* +- GP name: *TS_SD_EXPOSE_ADDRESS* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ **ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** From 30c000b7290053554f8ef52da2685a88edc90b18 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 06:18:39 +0530 Subject: [PATCH 012/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 2755 +++++++++++++++-- 1 file changed, 2490 insertions(+), 265 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index b42aac7547..bb3ba3a713 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -124,6 +124,48 @@ manager: dansimp ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER +
+
+ ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY +
+
+ ADMX_TerminalServer/TS_KEEP_ALIVE +
+
+ ADMX_TerminalServer/TS_LICENSE_SECGROUP +
+
+ ADMX_TerminalServer/TS_LICENSE_SERVERS +
+
+ ADMX_TerminalServer/TS_LICENSE_TOOLTIP +
+
+ ADMX_TerminalServer/TS_LICENSING_MODE +
+
+ ADMX_TerminalServer/TS_MAX_CON_POLICY +
+
+ ADMX_TerminalServer/TS_MAXDISPLAYRES +
+
+ ADMX_TerminalServer/TS_MAXMONITOR +
+
+ ADMX_TerminalServer/TS_NoDisconnectMenu +
+
+ ADMX_TerminalServer/TS_NoSecurityMenu +
+
+ ADMX_TerminalServer/TS_PreventLicenseUpgrade +
+
+ ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP +
+
ADMX_TerminalServer/TS_RADC_DefaultConnection
@@ -174,47 +216,6 @@ manager: dansimp
ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY
- ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER - -
- ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
-
- ADMX_TerminalServer/TS_KEEP_ALIVE -
-
- ADMX_TerminalServer/TS_LICENSE_SECGROUP -
-
- ADMX_TerminalServer/TS_LICENSE_SERVERS -
-
- ADMX_TerminalServer/TS_LICENSE_TOOLTIP -
-
- ADMX_TerminalServer/TS_LICENSING_MODE -
-
- ADMX_TerminalServer/TS_MAX_CON_POLICY -
-
- ADMX_TerminalServer/TS_MAXDISPLAYRES -
-
- ADMX_TerminalServer/TS_MAXMONITOR -
-
- ADMX_TerminalServer/TS_NoDisconnectMenu -
-
- ADMX_TerminalServer/TS_NoSecurityMenu -
-
- ADMX_TerminalServer/TS_PreventLicenseUpgrade -
-
- ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP -
@@ -2658,230 +2659,6 @@ ADMX Info: - -
- - -**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. - -You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). -If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. - -By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. - -If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). - - - - -ADMX Info: -- GP Friendly name: *Optimize visual experience when using RemoteFX* -- GP name: *TS_RemoteDesktopVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* - - - - -
- - -**ADMX_TerminalServer/TS_SD_ClustName** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. - -Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. - -- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. - -- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. - ->[!NOTES] -> 1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. -> 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. - - - - -ADMX Info: -- GP Friendly name: *Configure RD Connection Broker farm name* -- GP name: *TS_SD_ClustName* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. - -- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. - -- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. - -If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. - ->[!NOTES] -> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. - - - - -ADMX Info: -- GP Friendly name: *Use IP Address Redirection* -- GP name: *TS_SD_EXPOSE_ADDRESS* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* - - -
@@ -4003,6 +3780,2454 @@ ADMX Info: +
+ + +**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. + +You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). +If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. + +By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. + +If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). + + + + +ADMX Info: +- GP Friendly name: *Optimize visual experience when using RemoteFX* +- GP name: *TS_RemoteDesktopVirtualGraphics* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_SD_ClustName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. + +Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. + +- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. + +- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. + +>[!NOTES] +> 1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. +> 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + + + +ADMX Info: +- GP Friendly name: *Configure RD Connection Broker farm name* +- GP name: *TS_SD_ClustName* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. + +- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. + +- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. + +If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. + +>[!NOTES] +> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + + + +ADMX Info: +- GP Friendly name: *Use IP Address Redirection* +- GP name: *TS_SD_EXPOSE_ADDRESS* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_Loc** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. +The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. + +- If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. + +- If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. + + +>[!NOTES] +> 1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +> 2. This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. +> 3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. + + + + +ADMX Info: +- GP Friendly name: *Configure RD Connection Broker server name* +- GP name: *TS_SD_Loc* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. + +- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. + +The following security methods are available: + +1. * Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. +2. * RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. +3. * SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. + +- If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Require use of specific security layer for remote (RDP) connections* +- GP name: *TS_SECURITY_LAYER_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). +You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Network Detect. + +- If you disable Connect Time Detect, Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. + +- If you disable Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. + +- If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. + +- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. + + + + +ADMX Info: +- GP Friendly name: *Select network detection on the server* +- GP name: *TS_SELECT_NETWORK_DETECT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SELECT_TRANSPORT** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. + +- If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" + +If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. + +- If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. + + + + +ADMX Info: +- GP Friendly name: *Select RDP transport protocols* +- GP name: *TS_SELECT_TRANSPORT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. +This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. + +- If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. + +- If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. + + + + +ADMX Info: +- GP Friendly name: *Use advanced RemoteFX graphics for RemoteApp* +- GP name: *TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SERVER_AUTH** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + +- If you enable this policy setting, you must specify one of the following settings: + + 1. Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. + + 2. Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. + + 3. Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. + +- If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + + + + +ADMX Info: +- GP Friendly name: *Configure server authentication for client* +- GP name: *TS_SERVER_AUTH* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. + +- When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. + +- If you disable or do not configure this policy, we will always use software encoding. + + + + +ADMX Info: +- GP Friendly name: *Configure H.264/AVC hardware encoding for Remote Desktop Connections* +- GP name: *TS_SERVER_AVC_HW_ENCODE_PREFERRED* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. + +When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. + + + + +ADMX Info: +- GP Friendly name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* +- GP name: *TS_SERVER_AVC444_MODE_PREFERRED* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_COMPRESSOR** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. + +- If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. + +If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. + +In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. + +Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. + +- If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. + + + + +ADMX Info: +- GP Friendly name: *Configure compression for RemoteFX data* +- GP name: *TS_SERVER_COMPRESSOR* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. + +- If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. + +- If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. + +- If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. + +- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. + +- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. + + + + +ADMX Info: +- GP Friendly name: *Configure image quality for RemoteFX Adaptive Graphics* +- GP name: *TS_SERVER_IMAGE_QUALITY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_LEGACY_RFX** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. + +When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. + +- If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. + +- If you disable this policy setting, RemoteFX will be disabled. If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. + + + + +ADMX Info: +- GP Friendly name: *Configure RemoteFX* +- GP name: *TS_SERVER_LEGACY_RFX* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SERVER_PROFILE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. + +If you enable this policy setting, the RemoteFX experience could be set to one of the following options: +1. Let the system choose the experience for the network condition +2. Optimize for server scalability +3. Optimize for minimum bandwidth usage If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." + + + + +ADMX Info: +- GP Friendly name: *Configure RemoteFX Adaptive Graphics* +- GP name: *TS_SERVER_PROFILE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections. + +- If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. + +- If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. For this change to take effect, you must restart Windows. + + + + +ADMX Info: +- GP Friendly name: *Use WDDM graphics display driver for Remote Desktop Connections* +- GP name: *TS_SERVER_WDDM_GRAPHICS_DRIVER* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_Session_End_On_Limit_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time limits are set locally by the server administrator or by using Group Policy. + +See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. + +- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. + +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. + +This policy setting only applies to time-out limits that are explicitly set by the administrator. + +This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + + + + +ADMX Info: +- GP Friendly name: *End session when time limits are reached* +- GP name: *TS_Session_End_On_Limit_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_Session_End_On_Limit_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time limits are set locally by the server administrator or by using Group Policy. + +See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. + +- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. + +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. + +This policy setting only applies to time-out limits that are explicitly set by the administrator. + +This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + + + + +ADMX Info: +- GP Friendly name: *End session when time limits are reached* +- GP name: *TS_Session_End_On_Limit_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. +When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. + +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. + +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. + +>[!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + +ADMX Info: +- GP Friendly name: *Set time limit for disconnected sessions* +- GP name: *TS_SESSIONS_Disconnected_Timeout_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. +When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. + +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. + +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. + +>[!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + +ADMX Info: +- GP Friendly name: *Set time limit for disconnected sessions* +- GP name: *TS_SESSIONS_Disconnected_Timeout_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. + +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. + +- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +>[!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + +ADMX Info: +- GP Friendly name: *Set time limit for active but idle Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Idle_Limit_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. + +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. + +- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +>[!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + +ADMX Info: +- GP Friendly name: *Set time limit for active but idle Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Idle_Limit_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SESSIONS_Limits_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. + +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. + +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +>[!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + +ADMX Info: +- GP Friendly name: *Set time limit for active Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Limits_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SINGLE_SESSION** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to restrict users to a single Remote Desktop Services session. If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. + +If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. + +If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. + + + + + +ADMX Info: +- GP Friendly name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* +- GP name: *TS_SINGLE_SESSION* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_SMART_CARD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. + +- If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. + +- If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. + +>[!NOTE] +> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. + + + + +ADMX Info: +- GP Friendly name: *Do not allow smart card device redirection* +- GP name: *TS_SMART_CARD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_START_PROGRAM_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. + +The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. + +If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +>[!NOTE] +> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + + + + +ADMX Info: +- GP Friendly name: *Start a program on connection* +- GP name: *TS_START_PROGRAM_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_START_PROGRAM_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. + +The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. + +If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +>[!NOTE] +> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + + + + +ADMX Info: +- GP Friendly name: *Start a program on connection* +- GP name: *TS_START_PROGRAM_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_TEMP_DELETE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off. + +If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. + +If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. + +>[!NOTE] +> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. + + + + +ADMX Info: +- GP Friendly name: *Do not delete temp folders upon exit* +- GP name: *TS_TEMP_DELETE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_TEMP_PER_SESSION** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. + +You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid. + +- If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. + +- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. + + + + +ADMX Info: +- GP Friendly name: *Do not use temporary folders per session* +- GP name: *TS_TEMP_PER_SESSION* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_TIME_ZONE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. + +- If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). + +- If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. + +>[!NOTE] +> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. + + + + +ADMX Info: +- GP Friendly name: *Allow time zone redirection* +- GP name: *TS_TIME_ZONE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. + +- If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. + +- If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. + +>[!NOTE] +> The preferred method of managing user access is by adding a user to the Remote Desktop Users group. + + + + +ADMX Info: +- GP Friendly name: *Do not allow local administrators to customize permissions* +- GP name: *TS_TSCC_PERMISSIONS_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy. + +- If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. + +- If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. + +>[!NOTE] +> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. + + + + +ADMX Info: +- GP Friendly name: *Always show desktop on connection* +- GP name: *TS_TURNOFF_SINGLEAPP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_UIA** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to restrict users to a single Remote Desktop Services session. + +If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. + +- If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. + +- If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. + + + + +ADMX Info: +- GP Friendly name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* +- GP name: *TS_UIA* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
From 6c5b285a5c7557bd9fbf7f58d11a2459ce3cf5a0 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 06:27:45 +0530 Subject: [PATCH 013/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index bb3ba3a713..e1907d8a54 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -6229,6 +6229,73 @@ ADMX Info:
+ +**ADMX_TerminalServer/TS_UIA** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. +If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. + + + + + +ADMX Info: +- GP Friendly name: *Allow RDP redirection of other supported RemoteFX USB devices from this computer* +- GP name: *TS_UIA* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + +
From 85669a44a796971060886f1e3c71f89a49cee46c Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 06:31:23 +0530 Subject: [PATCH 014/122] Update policy-csp-admx-terminalserver.md --- windows/client-management/mdm/policy-csp-admx-terminalserver.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index e1907d8a54..44fb95957d 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -6283,7 +6283,6 @@ ADMX Info: This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. - From 9f518007f6ccd7fdc27abbbf9a6dbc2eb0727e2f Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 06:48:54 +0530 Subject: [PATCH 015/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 60 ++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 44fb95957d..afc0d59440 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -165,7 +165,7 @@ manager: dansimp
ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP
-
+
ADMX_TerminalServer/TS_RADC_DefaultConnection
@@ -216,6 +216,63 @@ manager: dansimp
ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY
+
+ ADMX_TerminalServer/TS_SERVER_LEGACY_RFX +
+
+ ADMX_TerminalServer/TS_SERVER_PROFILE +
+
+ ADMX_TerminalServer/TS_SERVER_VISEXP +
+
+ ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER +
+
+ ADMX_TerminalServer/TS_Session_End_On_Limit_1 +
+
+ ADMX_TerminalServer/TS_Session_End_On_Limit_2 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Limits_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Limits_2 +
+
+ ADMX_TerminalServer/TS_SINGLE_SESSION +
+
+ ADMX_TerminalServer/TS_SMART_CARD +
+
+ ADMX_TerminalServer/TS_START_PROGRAM_1 +
+
+ ADMX_TerminalServer/TS_START_PROGRAM_2 +
+
+ ADMX_TerminalServer/TS_TEMP_DELETE +
+
+ ADMX_TerminalServer/TS_TEMP_PER_SESSION +
+
+ ADMX_TerminalServer/TS_TIME_ZONE +
@@ -6296,5 +6353,6 @@ ADMX Info:
+ From d02ee03e5f10fab0dc87b32ca8caf97955d0f39c Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 07:08:58 +0530 Subject: [PATCH 016/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 305 +++++++++++++++++- 1 file changed, 302 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index afc0d59440..f67869e5fa 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -6288,7 +6288,7 @@ ADMX Info:
-**ADMX_TerminalServer/TS_UIA** +**ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** @@ -6338,14 +6338,15 @@ ADMX Info: This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. -If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. +If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. +If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. ADMX Info: - GP Friendly name: *Allow RDP redirection of other supported RemoteFX USB devices from this computer* -- GP name: *TS_UIA* +- GP name: *TS_USB_REDIRECTION_DISABLE* - GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection* - GP ADMX file name: *TerminalServer.admx* @@ -6354,5 +6355,303 @@ ADMX Info:
+ + +**ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY** + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. + +- If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. + +- If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. + +Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. + + + + +ADMX Info: +- GP Friendly name: *Require user authentication for remote connections by using Network Level Authentication* +- GP name: *TS_USER_AUTHENTICATION_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_USER_HOME** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. + +- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. + +If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. + +- If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. + +If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. + + + + +ADMX Info: +- GP Friendly name: *Server authentication certificate template* +- GP name: *TS_USER_HOME* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. + +- If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. + +- If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. + +For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. + + + + + +ADMX Info: +- GP Friendly name: *Use mandatory profiles on the RD Session Host server* +- GP name: *TS_USER_MANDATORY_PROFILES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + +**ADMX_TerminalServer/TS_USER_PROFILES** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. + +To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. + +If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. + +If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. + +1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. +2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. + + + + +ADMX Info: +- GP Friendly name: *Set path for Remote Desktop Services Roaming User Profile* +- GP name: *TS_USER_PROFILES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ From 8782e39f0b704dc08d825205fdcf1e5a12db122a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 07:25:28 +0530 Subject: [PATCH 017/122] Update policy-csp-admx-terminalserver.md --- .../mdm/policy-csp-admx-terminalserver.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index f67869e5fa..727599a933 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -273,6 +273,30 @@ manager: dansimp
ADMX_TerminalServer/TS_TIME_ZONE
+
+ ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY +
+
+ ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP +
+
+ ADMX_TerminalServer/TS_UIA +
+
+ ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE +
+
+ ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY +
+
+ ADMX_TerminalServer/TS_USER_HOME +
+
+ ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES +
+
+ ADMX_TerminalServer/TS_USER_PROFILES +
From e0d3e5998873a314ba76872bcdbcfdf548574991 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 07:55:20 +0530 Subject: [PATCH 018/122] Update policies-in-policy-csp-admx-backed.md --- .../mdm/policies-in-policy-csp-admx-backed.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 3b44f8e00e..e32a8a34bd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1177,6 +1177,50 @@ ms.date: 10/08/2020 - [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu) - [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade) - [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp) +- [ADMX_TerminalServer/TS_RADC_DefaultConnection](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection) +- [ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration) +- [ADMX_TerminalServer/TS_RemoteControl_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1) +- [ADMX_TerminalServer/TS_RemoteControl_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2) +- [ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics) +- [ADMX_TerminalServer/TS_SD_ClustName](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname) +- [ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address) +- [ADMX_TerminalServer/TS_SD_Loc](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc) +- [ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy) +- [ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect) +- [ADMX_TerminalServer/TS_SELECT_TRANSPORT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport) +- [ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp) +- [ADMX_TerminalServer/TS_SERVER_AUTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth) +- [ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred) +- [ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred) +- [ADMX_TerminalServer/TS_SERVER_COMPRESSOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor) +- [ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality) +- [ADMX_TerminalServer/TS_SERVER_LEGACY_RFX](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx) +- [ADMX_TerminalServer/TS_SERVER_PROFILE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile) +- [ADMX_TerminalServer/TS_SERVER_VISEXP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp) +- [ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver) +- [ADMX_TerminalServer/TS_Session_End_On_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1) +- [ADMX_TerminalServer/TS_Session_End_On_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2) +- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1) +- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2) +- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1) +- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2) +- [ADMX_TerminalServer/TS_SESSIONS_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions__limit_1) +- [ADMX_TerminalServer/TS_SESSIONS_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions__limit_2) +- [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session) +- [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card) +- [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1) +- [ADMX_TerminalServer/TS_START_PROGRAM_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2) +- [ADMX_TerminalServer/TS_TEMP_DELETE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete) +- [ADMX_TerminalServer/TS_TEMP_PER_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session) +- [ADMX_TerminalServer/TS_TIME_ZONE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone) +- [ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy) +- [ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp) +- [ADMX_TerminalServer/TS_UIA](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia) +- [ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable) +- [ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy) +- [ADMX_TerminalServer/TS_USER_HOME](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home) +- [ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles) +- [ADMX_TerminalServer/TS_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles) - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) From 013a58e0f8226113f7db945dac4d3fb4e0d23f65 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 12:36:06 +0530 Subject: [PATCH 019/122] Updated --- .../policy-configuration-service-provider.md | 78 ++ .../mdm/policy-csp-admx-terminalserver.md | 690 +++++++++++++----- 2 files changed, 593 insertions(+), 175 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fa5d7a6fb0..13d7cd2ea9 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4205,6 +4205,84 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP
+
+ ADMX_TerminalServer/TS_RADC_DefaultConnection +
+
+ ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration +
+
+ ADMX_TerminalServer/TS_RemoteControl_1 +
+
+ ADMX_TerminalServer/TS_RemoteControl_2 +
+
+ ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics +
+
+ ADMX_TerminalServer/TS_SD_ClustName +
+
+ ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS +
+
+ ADMX_TerminalServer/TS_SD_Loc +
+
+ ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY +
+
+ ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT +
+
+ ADMX_TerminalServer/TS_SELECT_TRANSPORT +
+
+ ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP +
+
+ ADMX_TerminalServer/TS_SERVER_AUTH +
+
+ ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED +
+
+ ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED +
+
+ ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED +
+
+ ADMX_TerminalServer/TS_SERVER_COMPRESSOR +
+
+ ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY +
+
+ ADMX_TerminalServer/TS_SERVER_LEGACY_RFX +
+
+ ADMX_TerminalServer/TS_SERVER_PROFILE +
+
+ ADMX_TerminalServer/TS_SERVER_VISEXP +
+
+ ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER +
+
+ ADMX_TerminalServer/TS_Session_End_On_Limit_1 +
+
+ ADMX_TerminalServer/TS_Session_End_On_Limit_2 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 +
### ADMX_Thumbnails policies diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 727599a933..c96ea7e054 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -567,154 +567,9 @@ ADMX Info:
- -**ADMX_TerminalServer/TS_RADC_DefaultConnection** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - - -This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. The default connection URL must be configured in the form of [http://contoso.com/rdweb/Feed/webfeed.aspx](http://contoso.com/rdweb/Feed/webfeed.aspx). - -- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. - -- If you disable or do not configure this policy setting, the user has no default connection URL. - -RemoteApp programs that are installed through RemoteApp and Desktop Connections from an un-trusted server can compromise the security of a user's account. - - - - - - -ADMX Info: -- GP Friendly name: *Specify default connection URL* -- GP name: *TS_RADC_DefaultConnection* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
-**ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - - -This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. - -- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. - -- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. - - - - - - -ADMX Info: -- GP Friendly name: *Suspend user sign-in to complete app registration* -- GP name: *TS_RDSAppX_WaitForRegistration* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_RemoteControl_1** +**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** @@ -763,32 +618,7 @@ ADMX Info: - -This policy determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. - -To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. - - - - - - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* -- GP name: *TS_RemoteControl_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_RemoteControl_2** - - - -This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). @@ -796,7 +626,7 @@ If you enable or do not configure this policy setting, users can run .rdp files If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. ->[!Note] +>[!NOTE] >You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. @@ -804,7 +634,7 @@ If you disable this policy setting, users cannot run .rdp files that are signed ADMX Info: - GP Friendly name: *Allow .rdp files from valid publishers and user's default .rdp settings* -- GP name: *TTS_CLIENT_ALLOW_SIGNED_FILES_1* +- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_1* - GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* - GP ADMX file name: *TerminalServer.admx* @@ -2742,6 +2572,82 @@ ADMX Info:
+ +**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. + +In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. + +By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. + +To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. + +When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + +ADMX Info: +- GP Friendly name: *Enable connection through RD Gateway* +- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP path: *Windows Components\Remote Desktop Services\RD Gateway* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ **ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** @@ -3863,6 +3769,292 @@ ADMX Info:
+ +**ADMX_TerminalServer/TS_RADC_DefaultConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. The default connection URL must be configured in the form of [http://contoso.com/rdweb/Feed/webfeed.aspx](http://contoso.com/rdweb/Feed/webfeed.aspx). + +- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. + +- If you disable or do not configure this policy setting, the user has no default connection URL. + +RemoteApp programs that are installed through RemoteApp and Desktop Connections from an un-trusted server can compromise the security of a user's account. + + + + + + +ADMX Info: +- GP Friendly name: *Specify default connection URL* +- GP name: *TS_RADC_DefaultConnection* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. + +- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. + +- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. + + + + + + +ADMX Info: +- GP Friendly name: *Suspend user sign-in to complete app registration* +- GP name: *TS_RDSAppX_WaitForRegistration* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteControl_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. + +To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. + + + + + + +ADMX Info: +- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* +- GP name: *TS_RemoteControl_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteControl_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. + +To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. + + + + + + +ADMX Info: +- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* +- GP name: *TS_RemoteControl_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ **ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** @@ -4973,6 +5165,77 @@ ADMX Info: +**ADMX_TerminalServer/TS_SERVER_VISEXP** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience. By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. + +- If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. + +- If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. + + + + +ADMX Info: +- GP Friendly name: *Optimize visual experience for Remote Desktop Service Sessions* +- GP name: *TS_SERVER_VISEXP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + **ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER** @@ -5577,6 +5840,83 @@ ADMX Info: +**ADMX_TerminalServer/TS_SESSIONS_Limits_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. + +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. + +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +>[!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + +ADMX Info: +- GP Friendly name: *Set time limit for active Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Limits_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + + **ADMX_TerminalServer/TS_SINGLE_SESSION** @@ -6312,7 +6652,7 @@ ADMX Info:
-**ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** +**ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** From 050ba1d6767b40a4a9ec0aba139c10d459d5a625 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 12:48:35 +0530 Subject: [PATCH 020/122] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 4 ++-- .../mdm/policy-configuration-service-provider.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index e32a8a34bd..57ac9f7317 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1204,8 +1204,8 @@ ms.date: 10/08/2020 - [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2) - [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1) - [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2) -- [ADMX_TerminalServer/TS_SESSIONS_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions__limit_1) -- [ADMX_TerminalServer/TS_SESSIONS_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions__limit_2) +- [ADMX_TerminalServer/TS_SESSIONS_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limit_1) +- [ADMX_TerminalServer/TS_SESSIONS_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limit_2) - [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session) - [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card) - [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 13d7cd2ea9..11916ac48a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4206,7 +4206,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP
- ADMX_TerminalServer/TS_RADC_DefaultConnection + ADMX_TerminalServer/TS_RADC_DefaultConnection
ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration @@ -4239,13 +4239,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_TerminalServer/TS_SELECT_TRANSPORT
- ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP + ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP
ADMX_TerminalServer/TS_SERVER_AUTH
- ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED + ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED
ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED From 34e27c8cd44ef6cc068a63f8bb95cce2eb3d3285 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 13:17:16 +0530 Subject: [PATCH 021/122] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 11916ac48a..b62b8f7d66 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4247,9 +4247,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED
-
- ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED -
ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED
From 880432985b64090b80309fd112d1531a6b200bd6 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 13:29:38 +0530 Subject: [PATCH 022/122] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 4 ++-- .../mdm/policy-configuration-service-provider.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 57ac9f7317..0153913344 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1204,8 +1204,8 @@ ms.date: 10/08/2020 - [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2) - [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1) - [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2) -- [ADMX_TerminalServer/TS_SESSIONS_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limit_1) -- [ADMX_TerminalServer/TS_SESSIONS_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limit_2) +- [ADMX_TerminalServer/TS_SESSIONS_Limits_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_1) +- [ADMX_TerminalServer/TS_SESSIONS_Limits_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_2) - [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session) - [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card) - [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index b62b8f7d66..a636e041e5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4242,7 +4242,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP
- ADMX_TerminalServer/TS_SERVER_AUTH + ADMX_TerminalServer/TS_SERVER_AUTH
ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED From f5ede191b79be42c1e6d6db6bfa26f14df02605e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 13:43:58 +0530 Subject: [PATCH 023/122] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a636e041e5..1fa8949def 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4280,6 +4280,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2
+
+ ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 +
### ADMX_Thumbnails policies From 8e8a45bbd972cd73e93852e6f167855aef3cd54c Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Mon, 22 Nov 2021 14:03:49 +0530 Subject: [PATCH 024/122] Adding new policies in CSP .md --- .../policy-configuration-service-provider.md | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index b62b8f7d66..95217e5116 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4280,6 +4280,51 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2
+
+ ADMX_TerminalServer/TS_SINGLE_SESSION +
+
+ ADMX_TerminalServer/TS_SMART_CARD +
+
+ ADMX_TerminalServer/TS_START_PROGRAM_1 +
+
+ ADMX_TerminalServer/TS_START_PROGRAM_2 +
+
+ ADMX_TerminalServer/TS_TEMP_DELETE +
+
+ ADMX_TerminalServer/TS_TEMP_PER_SESSION +
+
+ ADMX_TerminalServer/TS_TIME_ZONE +
+
+ ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY +
+
+ ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP +
+
+ ADMX_TerminalServer/TS_UIA +
+
+ ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE +
+
+ ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY +
+
+ ADMX_TerminalServer/TS_USER_HOME +
+
+ ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES +
+
+ ADMX_TerminalServer/TS_USER_PROFILES +
### ADMX_Thumbnails policies From 84b0ba0c436ebd9397cb675d32e9a68722d73bdd Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 22 Nov 2021 14:14:56 +0530 Subject: [PATCH 025/122] Updated --- .../mdm/policy-configuration-service-provider.md | 3 ++- .../client-management/mdm/policy-csp-admx-terminalserver.md | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1fa8949def..21a5e6f57f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4283,9 +4283,10 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1
-
+
ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2
+
### ADMX_Thumbnails policies diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index c96ea7e054..67bd9ecc23 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -6,8 +6,8 @@ ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 09/23/2020 +author: nimishasatapathy +ms.date: 11/22/2021 ms.reviewer: manager: dansimp --- From 1b4e38f020f548601e4db8961994ef0c52080f21 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 15:27:47 +0530 Subject: [PATCH 026/122] Update policy-csp-settings.md --- .../mdm/policy-csp-settings.md | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 69c7b52c83..c595c0b078 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -29,6 +29,9 @@ manager: dansimp
Settings/AllowDateTime
+
+ Settings/AllowEditDeviceName +
Settings/AllowLanguage
@@ -266,6 +269,68 @@ The following list shows the supported values:
+ +**Settings/AllowEditDeviceName** + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy disables edit device name option on Settings. + + + + +Describes what value are supported in by this policy and meaning of each value, default value. + + + + +
+ **Settings/AllowLanguage** From 81090affab904c05f7e8547e71644cb6aca17819 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 24 Nov 2021 16:53:32 +0530 Subject: [PATCH 027/122] Updated policy-csp-storage with missing policy entries Added: - -- Storage/WPDDevicesDenyReadAccessPerDevice Storage/WPDDevicesDenyReadAccessPerUser Storage/WPDDevicesDenyWriteAccessPerDevice Storage/WPDDevicesDenyWriteAccessPerUser --- .../policy-configuration-service-provider.md | 12 + .../mdm/policy-csp-storage.md | 379 +++++++++++++++++- 2 files changed, 379 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bbd3101f94..f43673ae62 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -8293,6 +8293,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice +
+
+ Storage/WPDDevicesDenyReadAccessPerUser +
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice +
+
+ Storage/WPDDevicesDenyWriteAccessPerUser +
### System policies diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index d470d7977b..7c441baca0 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -48,6 +48,18 @@ manager: dansimp
Storage/RemovableDiskDenyWriteAccess
+
+ Storage/WPDDevicesDenyReadAccessPerDevice +
+
+ Storage/WPDDevicesDenyReadAccessPerUser +
+
+ Storage/WPDDevicesDenyWriteAccessPerDevice +
+
+ Storage/WPDDevicesDenyWriteAccessPerUser +
@@ -139,8 +151,8 @@ The following list shows the supported values: Home - - + No + No Pro @@ -218,8 +230,8 @@ ADMX Info: Home - - + No + No Pro @@ -300,8 +312,8 @@ ADMX Info: Home - - + No + No Pro @@ -382,8 +394,8 @@ ADMX Info: Home - - + No + No Pro @@ -464,8 +476,8 @@ ADMX Info: Home - - + No + No Pro @@ -552,8 +564,8 @@ ADMX Info: Home - - + No + No Pro @@ -782,5 +794,348 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
+ +**Storage/WPDDevicesDenyReadAccessPerDevice** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyReadAccessPerUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny read access* +- GP name: *WPDDevices_DenyRead_Access_1* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyWriteAccessPerDevice** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
+ + +**Storage/WPDDevicesDenyWriteAccessPerUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth +- Mass Storage Class (MSC) over USB + +If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. + +Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. + +>[!NOTE] +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. + +Supported values for this policy are: +- Not configured +- 1-Enabled +- 0-Disabled + + + +ADMX Info: +- GP Friendly name: *WPD Devices: Deny write access* +- GP name: *WPDDevices_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + +
From aa235ef9ef42e6fa7216a75c16dec08bde0cd0b2 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 24 Nov 2021 17:05:05 +0530 Subject: [PATCH 028/122] fix --- .../mdm/policy-csp-storage.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 7c441baca0..cdf3d508a1 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -857,10 +857,10 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. -Supported values for this policy are: -- Not configured -- 1-Enabled -- 0-Disabled +Supported values for this policy are: +- Not configured +- Enabled +- Disabled @@ -945,8 +945,8 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j Supported values for this policy are: - Not configured -- 1-Enabled -- 0-Disabled +- Enabled +- Disabled @@ -1031,8 +1031,8 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j Supported values for this policy are: - Not configured -- 1-Enabled -- 0-Disabled +- Enabled +- Disabled @@ -1117,8 +1117,8 @@ Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer j Supported values for this policy are: - Not configured -- 1-Enabled -- 0-Disabled +- Enabled +- Disabled From a434405f888184557819da4da5d76ee1530e8d5b Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 17:38:34 +0530 Subject: [PATCH 029/122] Update policy-csp-search.md --- .../mdm/policy-csp-search.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 8eb0dbe3ea..667994f6ca 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -24,6 +24,9 @@ manager: dansimp
Search/AllowCloudSearch
+
+ Search/AllowCortanaInAAD +
Search/AllowFindMyFiles
@@ -138,6 +141,76 @@ The following list shows the supported values:
+ +**Search/AllowCortanaInAAD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + +ADMX Info: +- GP English name: *Allow Cloud Search* +- GP name: *AllowCortanaInAAD* +- GP element: *AllowCloudSearch_Dropdown* +- GP path: *Windows Components/Search* +- GP ADMX file name: *Search.admx* + + + + +This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. + + + + +
+ From fcc0a6224db041d4a29d540b95ca60fe0c82ef1b Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 24 Nov 2021 18:09:12 +0530 Subject: [PATCH 030/122] correction! --- windows/client-management/mdm/policy-csp-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index cdf3d508a1..318ae0e1ce 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1124,7 +1124,7 @@ Supported values for this policy are: ADMX Info: - GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_2* +- GP name: *WPDDevices_DenyWrite_Access_1* - GP path: *System/Removable Storage Access* - GP ADMX file name: *RemovableStorage.admx* From a4c6bd8998a1d2c2b32439f5d2d5dc2f5a5c8205 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 19:27:49 +0530 Subject: [PATCH 031/122] Update policy-csp-power.md --- .../client-management/mdm/policy-csp-power.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 367d969417..e8b4361743 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -22,6 +22,9 @@ manager: dansimp ## Power policies
+
+ Power/AllowHibernate +
Power/AllowStandbyStatesWhenSleepingOnBattery
@@ -98,6 +101,71 @@ manager: dansimp > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
+ + +**Power/AllowHibernate** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + +ADMX Info: +- GP Friendly name: *Decides if hibernate on the machine is allowed or not* +- GP name: *AllowHibernate* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +
From 61fa2b89662ef007259e506b1830a5442694d41d Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 19:37:26 +0530 Subject: [PATCH 032/122] Notification update --- .../mdm/policy-csp-notifications.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 643ef3e681..7ba7ed964f 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -31,6 +31,9 @@ manager: dansimp
Notifications/DisallowTileNotification
+
+ Notifications/WnsEndpoint +
@@ -280,5 +283,77 @@ Validation:
+ +**Notifications/WnsEndpoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. + +If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. + +Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also whitelisted from your firewall settings. + + + +ADMX Info: +- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint* +- GP name: *WnsEndpoint* +- GP path: *Start Menu and Taskbar/Notifications* +- GP ADMX file name: *WPN.admx* + + + +If the policy is not specified, we will default our connection to client.wns.windows.com. + + + +
+ \ No newline at end of file From f8f49eb21fb57214ae41e6fad3c026c7e781c7e2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 29 Nov 2021 10:44:49 +0500 Subject: [PATCH 033/122] Update deploy-whats-new.md --- windows/deployment/deploy-whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index b092bc6e3c..cb6320f60a 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -221,4 +221,4 @@ For more information, see the following guides: [Windows 10 release information](/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file +[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
From 05da0a4d72ea29d814cd086a1bc52f1b090cc245 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 30 Nov 2021 17:22:03 +0530 Subject: [PATCH 034/122] Update policy-csp-update.md --- .../mdm/policy-csp-update.md | 101 ++++++++++++++++-- 1 file changed, 90 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index c38caf5830..edc685637d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -72,6 +72,9 @@ manager: dansimp
Update/ConfigureDeadlineGracePeriod
+
+ Update/ConfigureDeadlineGracePeriodForFeatureUpdates +
Update/ConfigureDeadlineNoAutoReboot
@@ -1333,8 +1336,7 @@ The following list shows the supported values: - -Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. +Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule. ADMX Info: @@ -1346,7 +1348,7 @@ ADMX Info: -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. +Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. Default value is 7. @@ -1410,8 +1412,7 @@ Default value is 7. - -Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. +Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule. ADMX Info: @@ -1423,7 +1424,7 @@ ADMX Info: -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. +Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. Default value is 7. @@ -1487,8 +1488,7 @@ Default value is 7. - -Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) is configured but this policy is not, then the default value of 2 will be used. @@ -1501,7 +1501,7 @@ ADMX Info: -Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update. Default value is 2. @@ -1515,6 +1515,84 @@ Default value is 2.
+ +**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. + + + +ADMX Info: +- GP Friendly name: *Specify deadlines for automatic updates and restarts* +- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update. +Default value is 2. + + + + + + + + + + +
+ **Update/ConfigureDeadlineNoAutoReboot** @@ -1565,10 +1643,11 @@ Default value is 2. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. -If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. +When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline. -When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + ADMX Info: From f4d4d41af079a31a49eeebd296d6598517f87073 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 3 Dec 2021 12:20:39 +0530 Subject: [PATCH 035/122] Converted Html tables to md format --- .../mdm/policy-csp-admx-terminalserver.md | 3565 ++++------------- 1 file changed, 716 insertions(+), 2849 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index deab09567c..fadaf0bcba 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -399,38 +399,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -475,38 +451,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -524,38 +476,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -593,44 +521,20 @@ ADMX Info: -
+ **ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -675,38 +579,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -746,38 +626,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -817,38 +673,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_AUDIO** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -892,38 +724,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -965,38 +773,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1040,38 +824,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_CLIPBOARD** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1115,38 +875,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_COM** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1190,38 +926,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_DEFAULT_M** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1265,38 +977,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1336,38 +1024,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1407,38 +1071,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_LPT** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1478,38 +1118,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_PNP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1552,38 +1168,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_PRINTER** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1625,38 +1217,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1703,38 +1271,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1781,38 +1325,14 @@ ADMX Info: **ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1852,38 +1372,14 @@ ADMX Info: **ADMX_TerminalServer/TS_COLORDEPTH** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -1931,38 +1427,14 @@ ADMX Info: **ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2007,38 +1479,14 @@ ADMX Info: **ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2079,38 +1527,14 @@ ADMX Info: **ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2153,38 +1577,14 @@ ADMX Info: **ADMX_TerminalServer/TS_EASY_PRINT** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2227,38 +1627,14 @@ ADMX Info: **ADMX_TerminalServer/TS_EASY_PRINT_User** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2301,38 +1677,14 @@ ADMX Info: **ADMX_TerminalServer/TS_EnableVirtualGraphics** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2376,38 +1728,14 @@ ADMX Info: **ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2455,38 +1783,14 @@ ADMX Info: **ADMX_TerminalServer/TS_FORCIBLE_LOGOFF** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2528,38 +1832,14 @@ ADMX Info: **ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2604,38 +1884,14 @@ ADMX Info: **ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2677,38 +1933,14 @@ ADMX Info: **ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2755,38 +1987,14 @@ ADMX Info: **ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2832,38 +2040,14 @@ ADMX Info: **ADMX_TerminalServer/TS_KEEP_ALIVE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2905,38 +2089,14 @@ ADMX Info: **ADMX_TerminalServer/TS_LICENSE_SECGROUP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -2981,38 +2141,14 @@ ADMX Info: **ADMX_TerminalServer/TS_LICENSE_SERVERS** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3056,38 +2192,14 @@ ADMX Info: **ADMX_TerminalServer/TS_LICENSE_TOOLTIP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3129,38 +2241,14 @@ ADMX Info: **ADMX_TerminalServer/TS_LICENSING_MODE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3205,38 +2293,14 @@ ADMX Info: **ADMX_TerminalServer/TS_MAX_CON_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3283,38 +2347,14 @@ ADMX Info: **ADMX_TerminalServer/TS_MAXDISPLAYRES** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3354,38 +2394,14 @@ ADMX Info: **ADMX_TerminalServer/TS_MAXMONITOR** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3425,38 +2441,14 @@ ADMX Info: **ADMX_TerminalServer/TS_NoDisconnectMenu** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3501,38 +2493,14 @@ ADMX Info: **ADMX_TerminalServer/TS_NoSecurityMenu** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3572,38 +2540,14 @@ ADMX Info: **ADMX_TerminalServer/TS_PreventLicenseUpgrade** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3649,38 +2593,14 @@ ADMX Info: **ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3725,38 +2645,14 @@ ADMX Info: **ADMX_TerminalServer/TS_RADC_DefaultConnection** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3799,38 +2695,14 @@ ADMX Info: **ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3871,38 +2743,14 @@ ADMX Info: **ADMX_TerminalServer/TS_RemoteControl_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -3941,38 +2789,14 @@ ADMX Info: **ADMX_TerminalServer/TS_RemoteControl_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4011,38 +2835,14 @@ ADMX Info: **ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4085,38 +2885,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SD_ClustName** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4160,38 +2936,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4234,38 +2986,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SD_Loc** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4311,38 +3039,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4387,38 +3091,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4463,38 +3143,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SELECT_TRANSPORT** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4536,38 +3192,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4608,38 +3240,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_AUTH** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4685,38 +3293,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4756,38 +3340,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4819,43 +3379,20 @@ ADMX Info:
+ **ADMX_TerminalServer/TS_SERVER_COMPRESSOR** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4901,38 +3438,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -4971,43 +3484,20 @@ ADMX Info:
+ **ADMX_TerminalServer/TS_SERVER_LEGACY_RFX** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5048,38 +3538,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_PROFILE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5120,38 +3586,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_VISEXP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5191,38 +3633,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5262,38 +3680,14 @@ ADMX Info: **ADMX_TerminalServer/TS_Session_End_On_Limit_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5339,38 +3733,14 @@ ADMX Info: **ADMX_TerminalServer/TS_Session_End_On_Limit_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5416,38 +3786,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5491,38 +3837,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5566,38 +3888,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5642,38 +3940,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5718,38 +3992,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SESSIONS_Limits_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5795,38 +4045,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SESSIONS_Limits_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5872,38 +4098,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SINGLE_SESSION** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -5944,38 +4146,14 @@ ADMX Info: **ADMX_TerminalServer/TS_SMART_CARD** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6018,38 +4196,14 @@ ADMX Info: **ADMX_TerminalServer/TS_START_PROGRAM_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6092,38 +4246,14 @@ ADMX Info: **ADMX_TerminalServer/TS_START_PROGRAM_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6166,38 +4296,14 @@ ADMX Info: **ADMX_TerminalServer/TS_TEMP_DELETE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6240,38 +4346,14 @@ ADMX Info: **ADMX_TerminalServer/TS_TEMP_PER_SESSION** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6313,38 +4395,14 @@ ADMX Info: **ADMX_TerminalServer/TS_TIME_ZONE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6387,38 +4445,14 @@ ADMX Info: **ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6461,38 +4495,14 @@ ADMX Info: **ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6535,38 +4545,14 @@ ADMX Info: **ADMX_TerminalServer/TS_UIA** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6602,43 +4588,20 @@ ADMX Info:
+ **ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6676,38 +4639,14 @@ ADMX Info: **ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6749,38 +4688,14 @@ ADMX Info: **ADMX_TerminalServer/TS_USER_HOME** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6824,38 +4739,14 @@ ADMX Info: **ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
@@ -6898,38 +4789,14 @@ ADMX Info: **ADMX_TerminalServer/TS_USER_PROFILES** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
From f79ffc90a802bf98d36e7b94f44685f3c9c4a731 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 10 Dec 2021 16:46:16 +0530 Subject: [PATCH 036/122] Updated as per feedback --- windows/client-management/mdm/policy-csp-storage.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 1050e76e25..da73c643b4 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -612,7 +612,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -674,7 +674,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications[TC(1] [TW2]. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -736,7 +736,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -798,7 +798,7 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – P1: in the future, will consider Audit/Warn modes with customer justifications. +Audit/Warn – Audit/Warn modes with customer justifications. >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. From e7ff5a99ee5a7f7610ed5f5a81baafc67d46b865 Mon Sep 17 00:00:00 2001 From: dlmsft <91010553+dlmsft@users.noreply.github.com> Date: Wed, 15 Dec 2021 10:43:36 +0200 Subject: [PATCH 037/122] Update policy-csp-defender.md --- windows/client-management/mdm/policy-csp-defender.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 102d605e73..b062db74a9 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -571,6 +571,9 @@ The following list shows the supported values: +> [!IMPORTANT] +> AllowOnAccessProtection is officially being deprecated. +
From 5a4a37565b21d15a515bb2097713be9cc21db82d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Dec 2021 08:55:53 +0500 Subject: [PATCH 038/122] Update security-identifiers.md --- .../access-control/security-identifiers.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index d9d4084ca6..6abe9b1c87 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs. | S-1-5 | NT Authority | A SID that represents an identifier authority. | | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list. +The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. | Identifier Authority | Value | SID String Prefix | | - | - | - | @@ -174,6 +174,8 @@ The following table lists the predefined identifier authority constants. The fir | SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 | | SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 | | SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 | +| SECURITY_NT_AUTHORITY | 5 | S-1-5 | +| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 | The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID. @@ -256,14 +258,6 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| | S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| | S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | -| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.| -| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.| -| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.| -| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.| -| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.| -| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.| -| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.| -| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.| The following RIDs are relative to each domain. From 0b54331172ecc794b48f6e38556881adbd7137cb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Dec 2021 10:05:59 +0500 Subject: [PATCH 039/122] Update advanced-troubleshooting-boot-problems.md --- .../advanced-troubleshooting-boot-problems.md | 42 +++---------------- 1 file changed, 6 insertions(+), 36 deletions(-) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 8a7c060339..0c976ceceb 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -150,49 +150,19 @@ If you receive BCD-related errors, follow these steps: 2. Restart the computer to check whether the problem is fixed. -3. If the problem is not fixed, run the following command: - - ```console - Bootrec /rebuildbcd - ``` - -4. You might receive one of the following outputs: - - ```console - Scanning all disks for Windows installations. Please wait, since this may take a while ... - Successfully scanned Windows installations. Total identified Windows installations: 0 - The operation completed successfully. - ``` - - ```console - Scanning all disks for Windows installations. Please wait, since this may take a while ... - Successfully scanned Windows installations. Total identified Windows installations: 1 - D:\Windows - Add installation to boot list? Yes/No/All: - ``` - - If the output shows **windows installation: 0**, run the following commands: +3. If the problem is not fixed, run the following commands: ```console bcdedit /export c:\bcdbackup - attrib c:\\boot\\bcd -r –s -h + attrib c:\boot\bcd -r -s -h - ren c:\\boot\\bcd bcd.old + ren c:\boot\bcd bcd.old bootrec /rebuildbcd ``` - - After you run the command, you receive the following output: - - ```console - Scanning all disks for Windows installations. Please wait, since this may take a while ... - Successfully scanned Windows installations. Total identified Windows installations: 1 - {D}:\Windows - Add installation to boot list? Yes/No/All: Y - ``` -5. Try restarting the system. +4. Restart the system. ### Method 4: Replace Bootmgr @@ -206,7 +176,7 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv attrib -r -s -h ``` -3. Run the same **attrib** command on the Windows (system drive): +3. Navigate to the system drive and run the same command: ```console attrib -r -s -h @@ -394,7 +364,7 @@ If the dump file shows an error that is related to a driver (for example, window - To do this, open WinRE, open a command prompt, and then run the following command: ```console - SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows + SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows ``` For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) From d8387f1fd56d24278ca2b7f4aa4c9cf82e5e894c Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Dec 2021 10:14:25 +0500 Subject: [PATCH 040/122] Update trusted-platform-module-services-group-policy-settings.md --- .../trusted-platform-module-services-group-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 56600aa23a..c934a6161a 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -36,7 +36,7 @@ The following Group Policy settings were introduced in Windows. ## Configure the level of TPM owner authorization information available to the operating system >[!IMPORTANT] ->Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. +>Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions. @@ -149,4 +149,4 @@ If you don't want users to see the recommendation to update TPM firmware, you ca - [Trusted Platform Module](trusted-platform-module-top-node.md) - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) \ No newline at end of file +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) From 889829a233c13cc3c3f97047326d9ccdda0be1df Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 18 Dec 2021 23:33:26 -0800 Subject: [PATCH 041/122] Uploaded file: education-content-updates.md - 2021-12-18 23:33:26.3383 --- education/includes/education-content-updates.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index ba848193c2..1c5a8d3904 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,15 @@ +## Week of December 13, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 12/13/2021 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified | +| 12/13/2021 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified | + + ## Week of November 29, 2021 From 927c97b7fc9d870a020b8f90734174fcf2c00102 Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 18 Dec 2021 23:33:28 -0800 Subject: [PATCH 042/122] Uploaded file: store-for-business-content-updates.md - 2021-12-18 23:33:27.9849 --- .../includes/store-for-business-content-updates.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md index e84a7708a4..d14bc10108 100644 --- a/store-for-business/includes/store-for-business-content-updates.md +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -2,6 +2,17 @@ +## Week of December 13, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 12/13/2021 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified | +| 12/13/2021 | [Change history for Microsoft Store for Business and Education](/microsoft-store/sfb-change-history) | modified | +| 12/14/2021 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified | +| 12/14/2021 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified | + + ## Week of November 15, 2021 From a1c26d17732c5476aff31bfb83583e9f52531b55 Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 18 Dec 2021 23:33:35 -0800 Subject: [PATCH 043/122] Uploaded file: smb-content-updates.md - 2021-12-18 23:33:34.8448 --- smb/includes/smb-content-updates.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/smb/includes/smb-content-updates.md b/smb/includes/smb-content-updates.md index 4cebea6e8c..e8f13c7d35 100644 --- a/smb/includes/smb-content-updates.md +++ b/smb/includes/smb-content-updates.md @@ -2,10 +2,9 @@ -## Week of October 25, 2021 +## Week of December 13, 2021 | Published On |Topic title | Change | |------|------------|--------| -| 10/28/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified | -| 10/28/2021 | [Windows 10/11 for small to midsize businesses](/windows/smb/index) | modified | +| 12/14/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified | From 40e0815dc6355c38b2bc92a6e021f04034f794d5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 20 Dec 2021 11:26:24 +0500 Subject: [PATCH 044/122] Update special-identities.md --- .../access-control/special-identities.md | 122 +++++++++++++++++- 1 file changed, 121 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index d4abeec003..c1871a8804 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -19,7 +19,7 @@ ms.reviewer: # Special Identities **Applies to** -- Windows Server 2016 +- Windows Server 2016 or later This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. @@ -97,6 +97,18 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights|None| +## Attested Key Property + + +A SID that means the key trust object had the attestation property. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-6 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Authenticated Users @@ -109,6 +121,18 @@ Any user who accesses the system through a sign-in process has the Authenticated |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| +## Authentication Authority Asserted Identity + + +A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Batch @@ -121,6 +145,18 @@ Any user or process that accesses the system as a batch job (or through the batc |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| none| +## Console Logon + + +A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-2-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Creator Group @@ -197,6 +233,18 @@ Membership is controlled by the operating system. |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| +## Fresh public key identity + + +A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-3 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Interactive @@ -209,6 +257,30 @@ Any user who is logged on to the local system has the Interactive identity. This |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None| +## IUSR + + +Internet Information Services (IIS) use this account by default whenever anonymous authentication is enabled. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-17 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + +## Key Trust + + +A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-4 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Local Service @@ -234,6 +306,18 @@ This is a service account that is used by the operating system. The LocalSystem |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights|None| +## MFA Key Property + + +A SID that means the key trust object had the multifactor authentication (MFA) property. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-5 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Network This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. @@ -279,6 +363,18 @@ This group implicitly includes all users who are logged on to the system through |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None | +## Owner Rights + + +A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-3-4 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Principal Self @@ -291,6 +387,18 @@ This identity is a placeholder in an ACE on a user, group, or computer object in |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None | +## Proxy + + +Identifies a SECURITY_NT_AUTHORITY Proxy. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-8 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Remote Interactive Logon @@ -338,6 +446,18 @@ Any service that accesses the system has the Service identity. This identity gro |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
| +## Service Asserted Identity + + +A SID that means the client's identity is asserted by a service. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-2 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Terminal Server User From 3e908026f1ace25e9b0f3738d9a602248ed75f44 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Mon, 20 Dec 2021 07:41:42 -0800 Subject: [PATCH 045/122] Apply suggestions from code review Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../trusted-platform-module-services-group-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index c934a6161a..c70105fc3b 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -35,8 +35,8 @@ The following Group Policy settings were introduced in Windows. ## Configure the level of TPM owner authorization information available to the operating system ->[!IMPORTANT] ->Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. +> [!IMPORTANT] +> Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions. From 1fac02defe8f4eb5d94d4887d79a7915c0465b2e Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Mon, 20 Dec 2021 14:54:15 -0500 Subject: [PATCH 046/122] Removing Win10 Mobile --- .../wcd/wcd-connectivityprofiles.md | 2 +- windows/configuration/wcd/wcd-start.md | 2 +- .../update/windows-update-overview.md | 2 +- ...ndows-diagnostic-events-and-fields-1703.md | 20 +-- ...ndows-diagnostic-events-and-fields-1709.md | 24 ++-- ...ndows-diagnostic-events-and-fields-1803.md | 22 ++-- ...ndows-diagnostic-events-and-fields-1809.md | 20 +-- ...ndows-diagnostic-events-and-fields-1903.md | 20 +-- ...system-components-to-microsoft-services.md | 120 +++++++++--------- ...windows-11-diagnostic-events-and-fields.md | 20 +-- ...-diagnostic-data-events-and-fields-2004.md | 20 +-- .../privacy/windows-diagnostic-data-1703.md | 30 +++-- .../hello-aad-join-cloud-only-deploy.md | 20 ++- .../hello-errors-during-pin-creation.md | 15 ++- .../hello-for-business/hello-overview.md | 2 +- .../hello-why-pin-is-better-than-password.md | 8 +- .../retired/hello-how-it-works.md | 25 +--- 17 files changed, 184 insertions(+), 188 deletions(-) diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 33b7de451b..06e8834e67 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -198,7 +198,7 @@ Enter a SSID, click **Add**, and then configure the following settings for the S | Settings | Description | | --- | --- | -| ProxyServerPort | (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure. | +| ProxyServerPort | (Optional) Don't use. Using this configuration in Windows 10 client editions will result in failure. | | AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. | | HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. | | SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**.

If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. | diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index b5e9674a75..421801f668 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -28,5 +28,5 @@ Use Start settings to apply a customized Start screen to devices. ## StartLayout -Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device. +Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen. diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index 696e499750..829c4474a9 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -17,7 +17,7 @@ ms.topic: article >Applies to: Windows 10 -With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, client devices for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. Use the following information to get started with Windows Update: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 092765080d..d9a53c0bbe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -2134,7 +2134,7 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -4511,7 +4511,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgent_FellBackToCanonical -This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4609,7 +4609,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4625,7 +4625,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4656,7 +4656,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4676,7 +4676,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4742,7 +4742,7 @@ This event sends a summary of all the update agent mitigations available for an ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4758,13 +4758,13 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5006,7 +5006,7 @@ This event sends a summary of all the setup mitigations available for this updat ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 3c8ba7c332..6ff190f770 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -2217,7 +2217,7 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -4358,7 +4358,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgent_FellBackToCanonical -This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4456,7 +4456,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4472,7 +4472,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4504,7 +4504,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4524,7 +4524,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentFellBackToCanonical -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4540,7 +4540,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4636,7 +4636,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4652,7 +4652,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4670,7 +4670,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4687,7 +4687,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5061,7 +5061,7 @@ This event sends a summary of all the setup mitigations available for this updat ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index fd5ad905a1..8cb3c84765 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -3169,7 +3169,7 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -5581,7 +5581,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5597,7 +5597,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5629,7 +5629,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5649,7 +5649,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentFellBackToCanonical -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5665,7 +5665,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5763,7 +5763,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5779,7 +5779,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5797,7 +5797,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5819,7 +5819,7 @@ This event sends information indicating that a request has been sent to suspend ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6263,7 +6263,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 9b705e998d..f559d37880 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -4451,7 +4451,7 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -7066,7 +7066,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7082,7 +7082,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7119,7 +7119,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7139,7 +7139,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentFellBackToCanonical -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7155,7 +7155,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7254,7 +7254,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7270,7 +7270,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7288,7 +7288,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7691,7 +7691,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 1e9eb3a8f7..1b56b7ee14 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -4553,7 +4553,7 @@ This event indicates that the uninstall was properly configured and that a syste ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -7271,7 +7271,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7288,7 +7288,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7333,7 +7333,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7355,7 +7355,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7456,7 +7456,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7472,7 +7472,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7490,7 +7490,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7527,7 +7527,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7859,7 +7859,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index deeb4eb40a..2c58a0c1e0 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -277,7 +277,7 @@ Use Group Policies to manage settings for Cortana. For more info, see [Cortana, ### 2.1 Cortana and Search Group Policies -Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. +Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. | Policy | Description | |------------------------------------------------------|---------------------------------------------------------------------------------------| @@ -299,7 +299,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - **, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. @@ -334,7 +334,7 @@ If your organization tests network traffic, do not use a network proxy as Window You can prevent Windows from setting the time automatically. -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** -or- @@ -342,7 +342,7 @@ You can prevent Windows from setting the time automatically. After that, configure the following: -- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client** +- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client** -or- @@ -353,7 +353,7 @@ After that, configure the following: To prevent Windows from retrieving device metadata from the Internet: -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. -or - @@ -402,7 +402,7 @@ Windows Insider Preview builds only apply to Windows 10 and Windows 11 and are n To turn off Insider Preview builds for a released version of Windows 10 or Windows 11: -- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. +- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. To turn off Insider Preview builds for Windows 10 and Windows 11: @@ -413,7 +413,7 @@ To turn off Insider Preview builds for Windows 10 and Windows 11: -or- -- **Enable** the Group Policy **Toggle user control over Insider builds** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** +- **Enable** the Group Policy **Toggle user control over Insider builds** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** -or- @@ -427,9 +427,9 @@ To turn off Insider Preview builds for Windows 10 and Windows 11: | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
**Set Value to: Disabled**
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| +| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
**Set Value to: Disabled**
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| -| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| +| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| | Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| @@ -533,13 +533,11 @@ To turn off Live Tiles: - Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)** -In Windows 10 or Windows 11 Mobile, you must also unpin all tiles that are pinned to Start. - ### 11. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. -or- @@ -567,7 +565,7 @@ For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile ### 13.1 Microsoft Edge Group Policies -Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. +Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| @@ -636,7 +634,7 @@ In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL You can turn off NCSI by doing one of the following: -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. @@ -653,7 +651,7 @@ You can turn off the ability to download and update offline maps. -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** -or- @@ -671,7 +669,7 @@ You can turn off the ability to download and update offline maps. To turn off OneDrive in your organization: -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** -or- @@ -679,7 +677,7 @@ To turn off OneDrive in your organization: -and- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)** -or- @@ -809,9 +807,9 @@ To remove the Sticky notes app: - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** -### 18. Settings > Privacy & security +### 18. Settings > Privacy & security -Use Settings > Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. +Use Settings > Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. - [18.1 General](#bkmk-general) @@ -874,7 +872,7 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. -or- @@ -911,7 +909,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. -or- @@ -950,7 +948,7 @@ To turn off **Let apps on my other devices open apps and continue experiences on -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. -or- @@ -970,7 +968,7 @@ To turn off **Location for this device**: -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. -or- @@ -982,7 +980,7 @@ To turn off **Allow apps to access your location**: -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**. -or- @@ -1007,7 +1005,7 @@ To turn off **Let apps use my camera**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - Set the **Select a setting** box to **Force Deny**. @@ -1030,7 +1028,7 @@ To turn off **Let apps use my microphone**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - Set the **Select a setting** box to **Force Deny**. @@ -1105,7 +1103,7 @@ To turn off **Let apps access my name, picture, and other account info**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - Set the **Select a setting** box to **Force Deny**. @@ -1128,7 +1126,7 @@ To turn off **Choose apps that can access contacts**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - Set the **Select a setting** box to **Force Deny**. @@ -1146,7 +1144,7 @@ To turn off **Let apps access my calendar**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**. -or- @@ -1166,7 +1164,7 @@ To turn off **Let apps access my call history**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - Set the **Select a setting** box to **Force Deny**. @@ -1184,7 +1182,7 @@ To turn off **Let apps access and send email**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - Set the **Select a setting** box to **Force Deny**. @@ -1202,7 +1200,7 @@ To turn off **Let apps read or send messages (text or MMS)**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - Set the **Select a setting** box to **Force Deny**. @@ -1220,7 +1218,7 @@ To turn off **Choose apps that can read or send messages**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging** - Set the **Allow Message Service Cloud Sync** to **Disable**. @@ -1234,7 +1232,7 @@ To turn off **Let apps make phone calls**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** and set the **Select a setting** box to **Force Deny**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** and set the **Select a setting** box to **Force Deny**. -or- @@ -1255,7 +1253,7 @@ To turn off **Let apps control radios**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** and set the **Select a setting** box to **Force Deny**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** and set the **Select a setting** box to **Force Deny**. -or- @@ -1276,7 +1274,7 @@ To turn off **Let apps automatically share and sync info with wireless devices t -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps communicate with unpaired devices** and set the **Select a setting** box to **Force Deny**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps communicate with unpaired devices** and set the **Select a setting** box to **Force Deny**. -or- @@ -1288,7 +1286,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** and set the **Select a setting** box to **Force Deny**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** and set the **Select a setting** box to **Force Deny**. -or- @@ -1308,7 +1306,7 @@ To change how frequently **Windows should ask for my feedback**: -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** -or- @@ -1533,7 +1531,7 @@ Enterprise customers can manage their Windows activation status with volume lice **For Windows 10 and Windows 11:** -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- @@ -1541,7 +1539,7 @@ Enterprise customers can manage their Windows activation status with volume lice **For Windows Server 2019 or later:** -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- @@ -1560,7 +1558,7 @@ Enterprise customers can manage their Windows activation status with volume lice Enterprise customers can manage updates to the Disk Failure Prediction Model. For Windows 10 and Windows 11: -- **Disable** this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model** +- **Disable** this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model** -or- @@ -1570,11 +1568,11 @@ For Windows 10 and Windows 11: You can control if your settings are synchronized: -- In the UI: **Settings** > **Accounts** > **Sync your settings** +- In the UI: **Settings** > **Accounts** > **Sync your settings** -or- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**. -or- @@ -1594,7 +1592,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. > [!NOTE] > If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work. -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. -or- @@ -1614,7 +1612,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha -or- -- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. +- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. -or- @@ -1632,7 +1630,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. > 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date. > 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**. -- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** +- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** -OR- @@ -1645,7 +1643,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. You can stop sending file samples back to Microsoft. -- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**. +- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**. -or- @@ -1655,14 +1653,14 @@ You can stop sending file samples back to Microsoft. You can stop downloading **Definition Updates**: > [!NOTE] -> The Group Policy path for 1809 and earlier builds is **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** +> The Group Policy path for 1809 and earlier builds is **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** -- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. -and- -- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**. +- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**. -or- @@ -1687,7 +1685,7 @@ You can turn off **Enhanced Notifications** as follows: -or- -- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**. +- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**. -or- @@ -1759,7 +1757,7 @@ This will also turn off automatic app updates, and the Microsoft Store will be d In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps. -- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. +- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. -or- @@ -1767,7 +1765,7 @@ On Windows Server 2016, this will block Microsoft Store calls from Universal Win -AND- -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. -or- @@ -1793,15 +1791,15 @@ Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization. In Windows 10, version 1607 and above, and Windows 11 you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below. -### 28.1 Settings > Update & security +### 28.1 Settings > Update & security You can set up Delivery Optimization Peer-to-Peer from the **Settings** UI. -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. ### 28.2 Delivery Optimization Group Policies -You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. +You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. | Policy | Description | |---------------------------|-----------------------------------------------------------------------------------------------------| @@ -1816,7 +1814,7 @@ For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimi ### 28.3 Delivery Optimization -- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service. +- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service. -or- @@ -1854,19 +1852,19 @@ You can turn off Windows Update by setting the following registry entries: -OR- -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled** +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled** -and- -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled** +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled** -and- -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "** +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "** -and- -- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**. +- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**. You can turn off automatic updates by doing the following. This is not recommended. diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index beeccde7a0..15e7aedf43 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -3347,7 +3347,7 @@ This event indicates that the uninstall was properly configured and that a syste ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -5608,7 +5608,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5625,7 +5625,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5670,7 +5670,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5692,7 +5692,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5775,7 +5775,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5791,7 +5791,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5809,7 +5809,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5845,7 +5845,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6159,7 +6159,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 029b3c691d..a65bf318aa 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -3300,7 +3300,7 @@ The following fields are available: ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -6047,7 +6047,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6064,7 +6064,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6109,7 +6109,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6131,7 +6131,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6232,7 +6232,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6248,7 +6248,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6266,7 +6266,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6303,7 +6303,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6635,7 +6635,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index 0ccee01ea1..8e0e2a5a2a 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -95,17 +95,29 @@ This type of data includes software installation and update information on the d ## Browsing History data -This type of data includes details about web browsing in the Microsoft browsers. - -| Category Name | Description and Examples | -| - | - | -| Microsoft browser data | Information about Address bar and search box performance on the device such as:
  • Text typed in address bar and search box
  • Text selected for Ask Cortana search
  • Service response time
  • Autocompleted text if there was an autocomplete
  • Navigation suggestions provided based on local history and favorites
  • Browser ID
  • URLs (which may include search terms)
  • Page title
| +**Microsoft browser data**: This type of data includes details about web browsing, the address bar, and search box performance on the device in the Microsoft browsers, such as: +- Text typed in address bar and search box +- Text selected for Ask Cortana search +- Service response time +- Autocompleted text if there was an autocomplete +- Navigation suggestions provided based on local history and favorites +- Browser ID +- URLs (which may include search terms) +- Page title ## Inking Typing and Speech Utterance data -This type of data gathers details about the voice, inking, and typing input features on the device. +**Voice, inking, and typing**: This type of data gathers details about the voice, inking, and typing input features on the device, such as: -| Category Name | Description and Examples | -| - | - | -| Voice, inking, and typing | Information about voice, inking, and typing features such as:
  • Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
  • Pen gestures (click, double-click, pan, zoom, rotate)
  • Palm Touch x,y coordinates
  • Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
  • Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
  • Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
  • Text of speech recognition results - result codes and recognized text
  • Language and model of the recognizer, System Speech language
  • App ID using speech features
  • Whether user is known to be a child
  • Confidence and Success/Failure of speech recognition
| \ No newline at end of file +- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used +- Pen gestures (click, double-click, pan, zoom, rotate) +- Palm Touch x,y coordinates +- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate +- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user. +- Text input from Windows on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user. +- Text of speech recognition results - result codes and recognized text +- Language and model of the recognizer, System Speech language +- App ID using speech features +- Whether user is known to be a child +- Confidence and Success/Failure of speech recognition diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index fccc969f85..a645f56f3b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -51,40 +51,36 @@ If you use this Supports MFA switch with value **True**, you must verify that yo ## Use Intune to disable Windows Hello for Business enrollment -We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). +We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy. For more specific information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). -However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. +### Disable Windows Hello for Business using Intune Enrollment policy -## Disable Windows Hello for Business using Intune Enrollment policy +The following method explains how to disable Windows Hello for Business enrollment without Intune. 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. 3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**. - When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. > [!NOTE] > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md). ## Disable Windows Hello for Business enrollment without Intune -The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). +If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Azure AD Joined only, and not domain joined, these settings can also be made manually in the registry. -Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. - -Here are the registry settings an Intune policy would set. - -Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** +Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) -These registry settings are pushed from Intune for user policies for your reference. +These registry settings are pushed from Intune for user policies: - Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\UserSid\Policies`** - DWORD: **UsePassportForWork** - Value = **0** for Disable, or Value = **1** for Enable -For your reference, these registry settings can be applied from Local or Group Policies. +These registry settings can be applied from Local or Group Policies: - Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** - Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 27ec5e7658..e5e4fe1324 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,6 +1,6 @@ --- title: Windows Hello errors during PIN creation (Windows) -description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. +description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 keywords: PIN, error, create a work PIN ms.prod: m365-security @@ -26,7 +26,7 @@ ms.date: 05/05/2018 - Windows 10 - Windows 11 -When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. +When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. ## Where is the error code? @@ -37,11 +37,12 @@ The following image shows an example of an error during **Create a PIN**. ## Error mitigations When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps. -1. Try to create the PIN again. Some errors are transient and resolve themselves. -2. Sign out, sign in, and try to create the PIN again. -3. Reboot the device and then try to create the PIN again. -4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](/windows/client-management/reset-a-windows-10-mobile-device). -5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](/windows/client-management/reset-a-windows-10-mobile-device). + +1. Try to create the PIN again. Some errors are transient and resolve themselves. +2. Sign out, sign in, and try to create the PIN again. +3. Reboot the device and then try to create the PIN again. +4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings** > **System** > **About** > select **Disconnect from organization**. + If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. | Hex | Cause | Mitigation | diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index be17f3e5ce..a730b8d478 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -24,7 +24,7 @@ localizationpriority: medium - Windows 10 - Windows 11 -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. +In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] > When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 66b952c2e2..88adebf4e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -49,7 +49,7 @@ When the PIN is created, it establishes a trusted relationship with the identity   ## PIN is backed by hardware -The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM. +The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. @@ -64,7 +64,7 @@ The Windows Hello for Business PIN is subject to the same set of IT management p To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins. -**Configure BitLocker without TPM** +### Configure BitLocker without TPM 1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: @@ -72,7 +72,9 @@ You can provide additional protection for laptops that don't have TPM by enablin 2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.** 3. Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect. -**Set account lockout threshold** + +### Set account lockout threshold + 1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold** diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index e6350966ce..7a06722124 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -17,9 +17,8 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 - Windows 11 -- Windows 10 Mobile Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. @@ -63,9 +62,10 @@ Containers can contain several types of key material: - An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. - Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked. - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: - - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. - - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI. - + + - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. + - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI. + ## How keys are protected Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed. @@ -102,19 +102,6 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ - Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. - - - - - - - - - - - - - ## Related topics - [Windows Hello for Business](../hello-identity-verification.md) @@ -124,4 +111,4 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ - [Windows Hello and password changes](../hello-and-password-changes.md) - [Windows Hello errors during PIN creation](../hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](../hello-event-300.md) -- [Windows Hello biometrics in the enterprise](../hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](../hello-biometrics-in-enterprise.md) From 3922cc0837d0f590ebd361f23da5a1a308d371d3 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Mon, 20 Dec 2021 15:05:11 -0500 Subject: [PATCH 047/122] updating with master; Fixed suggestions --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- ...windows-operating-system-components-to-microsoft-services.md | 2 +- .../privacy/required-windows-11-diagnostic-events-and-fields.md | 2 +- .../required-windows-diagnostic-data-events-and-fields-2004.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index d9a53c0bbe..43752ab87d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +description: Learn more about the Windows 10, version 1703 diagnostic data gathered at the basic level. title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: m365-security diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 6ff190f770..f20bf940f2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +description: Learn more about the Windows 10, version 1709 diagnostic data gathered at the basic level. title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: m365-security diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 8cb3c84765..5e5a751b1b 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +description: Learn more about the Windows 10, version 1803 diagnostic data gathered at the basic level. title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: m365-security diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f559d37880..bcfa0ba684 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +description: Learn more about the Windows 10, version 1809 diagnostic data gathered at the basic level. title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: m365-security diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 1b56b7ee14..85415f07f6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what required Windows diagnostic data is gathered. +description: Learn more about the Windows 10, version 1903 diagnostic data gathered at the basic level. title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: m365-security diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2c58a0c1e0..e5f880e174 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -299,7 +299,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - **, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - `LDAP name`**, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 15e7aedf43..4d22a793a5 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +description: Learn more about the Windows 11 diagnostic data gathered at the basic level. title: Required Windows 11 diagnostic events and fields keywords: privacy, telemetry ms.prod: m365-security diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index a65bf318aa..ed71ed6cd6 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what required Windows diagnostic data is gathered. +description: Learn more about the required Windows 10 diagnostic data gathered. title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: m365-security From 63f8fc68f9c9b74d97d101c8a89b4249fb46b68c Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Mon, 20 Dec 2021 18:20:47 -0500 Subject: [PATCH 048/122] removing Win10 Mobile --- .openpublishing.redirection.json | 18 +- windows/security/identity-protection/index.md | 12 +- ...gital-certificates-on-windows-10-mobile.md | 76 ---- .../vpn/vpn-connection-type.md | 2 +- .../vpn/vpn-profile-options.md | 44 ++- .../app-behavior-with-wip.md | 3 +- .../collect-wip-audit-event-logs.md | 3 +- ...reate-and-verify-an-efs-dra-certificate.md | 54 ++- ...e-vpn-and-wip-policy-using-intune-azure.md | 53 ++- .../create-wip-policy-using-intune-azure.md | 1 - .../deploy-wip-policy-using-intune-azure.md | 5 +- .../enlightened-microsoft-apps-and-wip.md | 1 - .../guidance-and-best-practices-wip.md | 4 +- .../mandatory-settings-for-wip.md | 1 - .../overview-create-wip-policy-configmgr.md | 4 +- .../overview-create-wip-policy.md | 2 +- .../protect-enterprise-data-using-wip.md | 1 - ...recommended-network-definitions-for-wip.md | 25 +- .../using-owa-with-wip.md | 6 - .../wip-app-enterprise-context.md | 12 +- .../wip-learning.md | 11 +- .../windows-10-mobile-security-guide.md | 334 ------------------ 22 files changed, 127 insertions(+), 545 deletions(-) delete mode 100644 windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md delete mode 100644 windows/security/threat-protection/windows-10-mobile-security-guide.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 38511a691a..fa2dc0a8d0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,15 @@ { "redirections": [ + { + "source_path": "windows/security/threat-protection/windows-10-mobile-security-guide.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/windowssecurityauditing-ddf-file.md", "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", @@ -5157,7 +5167,7 @@ }, { "source_path": "windows/device-security/windows-10-mobile-security-guide.md", - "redirect_url": "/windows/security/threat-protection/windows-10-mobile-security-guide", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -5462,7 +5472,7 @@ }, { "source_path": "windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md", - "redirect_url": "/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -12072,7 +12082,7 @@ }, { "source_path": "windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md", - "redirect_url": "/windows/access-protection/installing-digital-certificates-on-windows-10-mobile", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { @@ -13562,7 +13572,7 @@ }, { "source_path": "windows/keep-secure/windows-10-mobile-security-guide.md", - "redirect_url": "/windows/device-security/windows-10-mobile-security-guide", + "redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5", "redirect_document_id": false }, { diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index e4ecd908cf..29506cac5f 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -1,6 +1,6 @@ --- title: Identity and access management (Windows 10) -description: Learn more about identity and access protection technologies in Windows 10 and Windows 10 Mobile. +description: Learn more about identity and access protection technologies in Windows. ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library @@ -17,18 +17,18 @@ ms.date: 02/05/2018 # Identity and access management -Learn more about identity and access management technologies in Windows 10 and Windows 10 Mobile. +Learn more about identity and access management technologies in Windows 10. | Section | Description | |-|-| | [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. | | [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. | -| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | -| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | +| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | +| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | | [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. | | [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.| | [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | -| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | +| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | -| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | +| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on client devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. | diff --git a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md deleted file mode 100644 index 9839a92845..0000000000 --- a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Install digital certificates on Windows 10 Mobile (Windows 10) -description: Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. -ms.assetid: FF7B1BE9-41F4-44B0-A442-249B650CEE25 -ms.reviewer: -keywords: S/MIME, PFX, SCEP -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 07/27/2017 ---- - -# Install digital certificates on Windows 10 Mobile - -**Applies to** -- Windows 10 Mobile - -Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. - -Certificates in Windows 10 Mobile are primarily used for the following purposes: -- To create a secure channel using Secure Sockets Layer (SSL) between a phone and a web server or service. -- To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email. -- For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site). - - ->[!WARNING] ->In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) - -## Install certificates using Microsoft Edge - -A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows 10 Mobile device. - -## Install certificates using email - -The Windows 10 Mobile certificate installer supports .cer, .p7b, .pem, and .pfx files. Some email programs block .cer files for security reasons. If this is the case in your organization, use an alternative method to deploy the certificate. Certificates that are sent via email appear as message attachments. When a certificate is received, a user can tap to review the contents and then tap to install the certificate. Typically, when an identity certificate is installed, the user is prompted for the password (or passphrase) that protects it. - -## Install certificates using mobile device management (MDM) - -Windows 10 Mobile supports root, CA, and client certificate to be configured via MDM. Using MDM, an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate-based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired. - ->[!WARNING] ->Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=718216). - -**Process of installing certificates using MDM** - -1. The MDM server generates the initial cert enroll request including challenge password, SCEP server URL, and other enrollment related parameters. -2. The policy is converted to the OMA DM request and sent to the device. -3. The trusted CA certificate is installed directly during MDM request. -4. The device accepts certificate enrollment request. -5. The device generates private/public key pair. -6. The device connects to Internet-facing point exposed by MDM server. -7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device. - - >[!NOTE] - >The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either: - > - >- A certificate is successfully received from the server - >- The server returns an error - >- The number of retries reaches the preconfigured limit - -8. The cert is installed in the device. Browser, Wi-Fi, VPN, email, and other first party applications have access to this certificate. - - >[!NOTE] - >If MDM requested private key stored in Trusted Process Module (TPM) (configured during enrollment request), the private key will be saved in TPM. Note that SCEP enrolled cert protected by TPM isn’t guarded by a PIN. However, if the certificate is imported to the Windows Hello for Business Key Storage Provider (KSP), it is guarded by the Hello PIN. - -## Related topics - -[Configure S/MIME](configure-s-mime.md) \ No newline at end of file diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 72d3fed61c..75cbde62de 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -56,7 +56,7 @@ There are many options for VPN clients. In Windows 10 and Windows 11, the built- ## Universal Windows Platform VPN plug-in -The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there were originally separate versions available for the Windows 8.1 Mobile and Windows 8.1 PC platforms. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers. +The Universal Windows Platform (UWP) VPN plug-ins were introduced in Windows 10 and Windows 11, although there was originally separate version available for the Windows 8.1 PC platform. Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers. There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution. diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index c999481679..7f144e6146 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -17,8 +17,9 @@ ms.date: 05/17/2018 # VPN profile options **Applies to** -- Windows 10 -- Windows 11 + +- Windows 10 +- Windows 11 Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). @@ -298,36 +299,31 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr ## Apply ProfileXML using Intune -After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 or Windows 11 Desktop and Mobile and later)** policy. +After you configure the settings that you want using ProfileXML, you can create a custom profile in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). After it's created, you deploy this profile to your devices. -1. Sign into the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Select **Devices** > **Configuration profiles** > **Create profile**. +3. Enter the following properties: -2. Go to **Intune** > **Device Configuration** > **Profiles**. + - **Platform**: Select **Windows 10 and later** + - **Profile**: Select **Templates** > **Custom**. -3. Click **Create Profile**. +4. Select **Create**. +5. In **Basics**, enter the following properties: -4. Enter a name and (optionally) a description. + - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. -5. Choose **Windows 10 and later** as the platform. +6. Select **Next**. +7. In **Configuration settings**, enter the following properties: -6. Choose **Custom** as the profile type and click **Add**. + - **OMA-URI**: Enter `./user/vendor/MSFT/VPNv2/Your_VPN profile name_/ProfileXML`. + - **Data type**: Select `String (XML file)`. + - **Value**: Browse to, and select your XML file. -8. Enter a name and (optionally) a description. - -9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**. - -10. Set Data type to **String (XML file)**. - -11. Upload the profile XML file. - -12. Click **OK**. - - ![Custom VPN profile.](images/custom-vpn-profile.png) - -13. Click **OK**, then **Create**. - -14. Assign the profile. + For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). +8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure). ## Learn more diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index e69017b1e0..57044c576d 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -20,8 +20,7 @@ ms.reviewer: # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later +- Windows 10, version 1607 and later Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 22190edaa2..1220e20185 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -20,8 +20,7 @@ ms.reviewer: **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later +- Windows 10, version 1607 and later Windows Information Protection (WIP) creates audit events in the following situations: diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 6c878e9d9c..1b4ece02db 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -18,10 +18,10 @@ ms.reviewer: --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate + **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later +- Windows 10, version 1607 and later If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. @@ -33,10 +33,12 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr 1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. 2. Run this command: - - cipher /r:EFSRA - - Where *EFSRA* is the name of the .cer and .pfx files that you want to create. + + ```cmd + cipher /r:EFSRA + ``` + + Where *EFSRA* is the name of the `.cer` and `.pfx` files that you want to create. 3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. @@ -58,7 +60,9 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - cipher /c filename + ```cmd + cipher /c filename + ``` Where *filename* is the name of the file you created in Step 1. @@ -72,9 +76,11 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - cipher /d encryptedfile.extension - - Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx. + ```cmd + cipher /d encryptedfile.extension + ``` + + Where *encryptedfile.extension* is the name of your encrypted file. For example, `corporatedata.docx`. ## Recover WIP-protected after unenrollment @@ -84,26 +90,34 @@ It's possible that you might revoke data from an unenrolled device only to later >To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type: - - Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW + + ```cmd + Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW + ``` Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**. - + ![Robocopy in S mode.](images/robocopy-s-mode.png) If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: - - Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW + + ```cmd + Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW + ``` 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: - cipher.exe /D "new_location" + ```cmd + cipher.exe /D "new_location" + ``` 3. Have your employee sign in to the unenrolled device, and type: - Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input" + ```cmd + Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input" + ``` 4. Ask the employee to lock and unlock the device. @@ -127,7 +141,8 @@ The employee experience is based on sign in with an Azure AD work account. The e After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again. -**To test what the employee sees during the WIP key recovery process** +### To test what the employee sees during the WIP key recovery process + 1. Attempt to open a work file on an unenrolled device. The **Connect to Work to access work files** box appears. @@ -139,6 +154,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp 3. Sign-in to Azure AD as the employee and verify that the files now open ## Related topics + - [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10)) - [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10)) @@ -151,4 +167,4 @@ After signing in, the necessary WIP key info is automatically downloaded and emp >[!Note] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 7d32f0a68b..3c7680cf51 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -17,53 +17,46 @@ ms.date: 02/26/2019 ms.reviewer: --- -# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune +# Associate and deploy a VPN policy for Windows Information Protection (WIP) using Endpoint Manager + **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 and later After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. -## Associate your WIP policy to your VPN policy by using Microsoft Intune -Follow these steps to associate your WIP policy with your organization's existing VPN policy. +## Associate your WIP policy to your VPN policy using Endpoint Manager -**To associate your policies** +To associate your WIP policy with your organization's existing VPN policy, use the following steps: -1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration). +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Select **Devices** > **Configuration profiles** > **Create profile**. +3. Enter the following properties: -2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. + - **Platform**: Select **Windows 10 and later** + - **Profile**: Select **Templates** > **Custom**. - ![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png) +4. Select **Create**. +5. In **Basics**, enter the following properties: -3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. + - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. - ![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png) +6. Select **Next**. +7. In **Configuration settings**, enter the following properties: -4. In the **Custom OMA-URI Settings** blade, click **Add**. + - **Name**: Enter a name for your setting. For example, enter `EDPModeID`. + - **OMA-URI**: Enter `./Vendor/MSFT/VPNv2/YourVPNProfileName/EDPModeId`. + - **Data type**: Select `String`. + - **Value**: Type your fully-qualified domain that should be used by the OMA-URI setting. For example, enter `corp.contoso.com`. -5. In the **Add Row** blade, type: + For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). - - **Name.** Type a name for your setting, such as *EDPModeID*. - - - **Description.** Type an optional description for your setting. - - - **OMA-URI.** Type _./Vendor/MSFT/VPNv2/<VPNProfileName>/EDPModeId_ into the box. - - - **Data type.** Select **String** from the dropdown box - - - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. - - ![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png) - -6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. - -7. Click **Create** to create the policy, including your OMA_URI info. +8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure). ## Deploy your VPN policy using Microsoft Intune -After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. -**To deploy your Custom VPN policy** +After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. 1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 26b8886645..3fb7d9b80d 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -20,7 +20,6 @@ ms.reviewer: **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device. diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 1c9ca74eed..c81eea7fca 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -21,12 +21,11 @@ ms.reviewer: **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 and later After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. -**To deploy your WIP policy** +## To deploy your WIP policy 1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy. diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 6551bd495d..a1dba47f5e 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -23,7 +23,6 @@ ms.date: 05/02/2019 **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 4abadeccec..1f6aaa6f4e 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -21,12 +21,12 @@ ms.date: 02/26/2019 # General guidance and best practices for Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later +- Windows 10, version 1607 and later This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP). ## In this section + |Topic |Description | |------|------------| |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 1d28851374..cf0c2bbce8 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -21,7 +21,6 @@ ms.reviewer: **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index 6f0d4796b6..c017a7e4f6 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -20,12 +20,12 @@ ms.date: 02/26/2019 # Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later +- Windows 10, version 1607 and later Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ## In this section + |Topic |Description | |------|------------| |[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index 238400ed86..348af05f36 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -21,11 +21,11 @@ ms.date: 03/11/2019 **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ## In this section + |Topic |Description | |------|------------| |[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index ec997e526a..f9a0db9b78 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -23,7 +23,6 @@ ms.date: 03/05/2019 **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 254e5b85bc..d5400291be 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -22,25 +22,25 @@ ms.reviewer: **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. ## Recommended Enterprise Cloud Resources + This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization. |If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s)| |-----------------------------|---------------------------------------------------------------------| -|Sharepoint Online |
  • contoso.sharepoint.com
  • contoso-my.sharepoint.com
  • contoso-files.sharepoint.com
| -|Yammer |
  • www.yammer.com
  • yammer.com
  • persona.yammer.com
| -|Outlook Web Access (OWA) |
  • outlook.office.com
  • outlook.office365.com
  • attachments.office.net
| -|Microsoft Dynamics |contoso.crm.dynamics.com | -|Visual Studio Online |contoso.visualstudio.com | -|Power BI |contoso.powerbi.com | -|Microsoft Teams |teams.microsoft.com | -|Other Office 365 services |
  • tasks.office.com
  • protection.office.com
  • meet.lync.com
  • project.microsoft.com
| +|Sharepoint Online |- `contoso.sharepoint.com`
- `contoso-my.sharepoint.com`
- `contoso-files.sharepoint.com` | +|Yammer |- `www.yammer.com`
- `yammer.com`
- `persona.yammer.com` | +|Outlook Web Access (OWA) |- `outlook.office.com`
- `outlook.office365.com`
- `attachments.office.net` | +|Microsoft Dynamics |`contoso.crm.dynamics.com` | +|Visual Studio Online |`contoso.visualstudio.com` | +|Power BI |`contoso.powerbi.com` | +|Microsoft Teams |`teams.microsoft.com` | +|Other Office 365 services |- `tasks.office.com`
- `protection.office.com`
- `meet.lync.com`
- `project.microsoft.com` | You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both. @@ -54,7 +54,6 @@ When multiple files are selected from SharePoint Online or OneDrive, the files a ## Recommended Neutral Resources We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP). -
    -
  • login.microsoftonline.com
    • -
  • login.windows.net
    • -
\ No newline at end of file + +- `login.microsoftonline.com` +- `login.windows.net` diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 1b6f9a67bd..c1188fad4b 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -21,7 +21,6 @@ ms.reviewer: **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). @@ -35,8 +34,3 @@ Because Outlook on the web can be used both personally and as part of your organ >[!NOTE] >These limitations don’t apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings. - - - - - diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index 4a5b35da13..cd707f5044 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -20,8 +20,7 @@ ms.reviewer: # Determine the Enterprise Context of an app running in Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later +- Windows 10, version 1607 and later >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). @@ -53,10 +52,5 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). - >**Important**
Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. - - - - - - + > [!Important] + > Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 65aaeda64c..3ae137caca 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -21,8 +21,7 @@ ms.date: 02/26/2019 # Fine-tune Windows Information Protection (WIP) with WIP Learning **Applies to:** -- Windows 10, version 1703 and later -- Windows 10 Mobile, version 1703 and later +- Windows 10, version 1703 and later With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune. @@ -32,11 +31,9 @@ In the **Website learning report**, you can view a summary of the devices that h ## Access the WIP Learning reports -1. Open the [Azure portal](https://portal.azure.com/). +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. - -1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. +1. Click **Client apps** > **App protection status** > **Reports**. ![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png) @@ -114,4 +111,4 @@ The information needed for the following steps can be found using Device Health, When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md deleted file mode 100644 index cd44f7491b..0000000000 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ /dev/null @@ -1,334 +0,0 @@ ---- -title: Windows 10 Mobile security guide (Windows 10) -description: The most important security features in the Windows 10 Mobile — identity access & control, data protection, malware resistance, and app platform security. -ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205 -ms.reviewer: -manager: dansimp -ms.author: dansimp -keywords: data protection, encryption, malware resistance, smartphone, device, Microsoft Store -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, mobile -ms.localizationpriority: medium -author: dulcemontemayor -ms.date: 10/13/2017 -ms.technology: windows-sec ---- -# Windows 10 Mobile security guide - -*Applies to Windows 10 Mobile, version 1511 and Windows Mobile, version 1607* - ->This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security. - -Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data. -Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include: -- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. -- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps. -- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. - -This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware. - -**In this article:** -- Windows Hello for Business -- Windows Information Protection -- Malware resistance - -## Windows Hello - -Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a user’s identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords – particularly on a mobile device touch screen – that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation. - -Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device. - -Because Windows Hello is supported across all Windows 10 devices, organizations can uniformly implement multifactor authentication across their environment. Deploying Windows Hello on Windows 10 Mobile devices does require Azure AD (sold separately), but you can use Azure AD Connect to synchronize with your on-premises Active Directory services. - -Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors. - -> [!NOTE] -> When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -### Secured credentials - -Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a user’s credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPM’s own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it. - -To compromise Windows Hello credentials, an attacker would need access to the physical device, and then find a way to spoof the user’s biometric identity or guess his or her PIN. All of this would have to be accomplished before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. With TPM-based protection, an attacker’s window of opportunity for compromising a user’s credentials is greatly reduced. - -### Support for biometrics - -Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password. - -Windows Hello supports three biometric sensor scenarios: -- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology. -- **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello. -- **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology. - -> [!NOTE] -> Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture. - -All three of these biometric factors – face, finger, and iris – are unique to an individual. To capture enough data to uniquely identify an individual, a biometric scanner might initially capture images in multiple conditions or with additional details. For example, an iris scanner will capture images of both eyes or both eyes with and without eyeglasses or contact lenses. - -Spoofing biometric data is often a big concern in enterprise environments. Microsoft employs several anti-spoofing techniques in Windows 10 Mobile that verify the trustworthiness of the biometric device, as well as guard against intentional collision with stored biometric measurements. These techniques help improve the false-acceptance rate (the rate at which spoofed biometric data is accepted as authentic) while maintaining the overall usability and manageability of MFA. - -The biometric image collected at enrollment is converted into an algorithmic form that cannot be converted back into the original image. Only the algorithmic form is kept; the actual biometric image is removed from the device after conversion. Windows 10 Mobile devices both encrypt the algorithmic form of the biometric data and bind the encrypted data to the device, both of which help prevent someone from removing the data from the phone. As a result, the biometric information that Windows Hello uses is a local gesture and doesn’t roam among the user’s devices. - -### Companion devices - -A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the user’s identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that don’t have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail. - -### Standards-based approach - -The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms. - -In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for both enterprises and consumers. - -## Windows Information Protection - -Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This fluidity increases the potential for sensitive corporate data to be accidentally compromised. - -Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. - -Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include: -- Automatically tag personal and corporate data. -- Protect data while it’s at rest on local or removable storage. -- Control which apps can access corporate data. -- Control which apps can access a virtual private network (VPN) connection. -- Prevent users from copying corporate data to public locations. -- Help ensure business data is inaccessible when the device is in a locked state. - -### Enlightened apps - -Third-party data loss protection solutions usually require developers to wrap their apps. However, Windows Information Protection builds this intelligence right into Windows 10 Mobile so most apps require nothing extra to prevent inappropriate corporate data sharing. - -Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. - -When you do not want all data encrypted by default – because it would create a poor user experience – developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that: -- Don’t use common controls for saving files. -- Don’t use common controls for text boxes. -- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance). - -In many cases, most apps don’t require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data. - -**When is app enlightenment required?** -- **Required** - - App needs to work with both personal and enterprise data. -- **Recommended** - - App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps. - - App needs to access enterprise data, while protection under lock is activated. -- **Not required** - - App handles only corporate data - - App handles only personal data - -### Data leakage control - -To configure Windows Information Protection in a Mobile Device Management (MDM) solution that supports it, simply add authorized apps to the allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, unauthorized apps will not have access to enterprise data. - -Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Windows Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data. - -The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set: -- **Block.** Windows Information Protection blocks users from completing the operation. -- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log. -- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log. -- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log. - -### Data separation - -Most third-party solutions require an app wrapper that directs enterprise data into a password-protected container and keeps personal data outside the container. Depending on the implementation, this may require two different versions of the same apps to be running on the device: one for personal data and another for enterprise data. - -Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless. - -### Encryption - -Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored – even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device. - -You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices. -- Cryptography - - Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled. - - TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections. -- BitLocker - - Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one. - -To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello. - -### Government Certifications - -Windows 10 Mobile supports both [FIPS 140 standards](http://csrc.nist.gov/groups/STM/cavp/validation.html) for cryptography and [Common Criteria](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10694) The FIPS 140 certification validates the effectiveness of the cryptographic algorithms used in Windows 10 Mobile. Microsoft has also received Common Criteria certification for Windows 10 Mobile running on Lumia 950, 950 XL, 550, 635, as well as Surface Pro 4, giving customers assurance that securety functionality is implemented properly. - -## Malware resistance - -The best way to fight malware is prevention. Windows 10 Mobile provides strong malware resistance through secured hardware, startup process defenses, core operating system architecture, and application-level protections. -The table below outlines how Windows 10 Mobile mitigates specific malware threats. - -|Threat|Windows 10 Mobile mitigation| -|--- |--- | -|Firmware bootkits replace the firmware with malware.|All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.| -|Bootkits start malware before Windows starts.|UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.| -|System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.|Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.| -|An app infects other apps or the operating system with malware.|All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.| -|An unauthorized app or malware attempts to start on the device.|All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.| -|User-level malware exploits a vulnerability in the system or an application and owns the device.|Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.

Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.| -|Users access a dangerous website without knowledge of the risk.|The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.| -|Malware exploits a vulnerability in a browser add-on.|Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.| -|A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.|Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.| - - -> [!NOTE] -> The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed. - -### UEFI with Secure Boot - -When a Windows 10 Mobile device starts, it begins the process of loading the operating system by locating the bootloader in the device’s storage system. Without safeguards in place, the phone might simply hand control over to the bootloader without even determining whether it’s a trusted operating system or malware. - -UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also helps to ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the mobile phone. - -UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the mobile phone’s manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection against firmware-based malware that loads before Windows 10 Mobile and to try and hide its malicious behavior from the operating system. Firmware-based malware of this nature is typically called bootkits. - -When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing. - -All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx) - -### Trusted Platform Module - -A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that enhances the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a PC, tablet, or smartphone. A trusted computing platform is specially designed to work with the TPM to support privacy and security scenarios that software alone cannot achieve. A TPM is required to receive Windows 10 Mobile device hardware certification. - -A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform. - -The following list describes key functionality that a TPM provides in Windows 10 Mobile: -- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys. -- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device. -- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM. - -Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself. - -Many assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements. Therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile. - -> [!NOTE] -> Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - -Several Windows 10 Mobile security features require TPM: -- Virtual smart cards -- Measured Boot -- Health attestation (requires TPM 2.0 or later) - -Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Windows Hello. - -### Biometrics - -Windows 10 Mobile makes biometrics a core security feature. Microsoft has fully integrated biometrics into the Windows 10 Mobile security components, not just tacked it on top of the platform (as was the case in previous versions of Windows). This is a big change. Earlier biometric implementations were largely front-end methods that simplified authentication. Under the hood, the system used biometrics to access a password, which it then used for authentication behind the scenes. Biometrics may have provided convenience, but not necessarily enterprise-grade authentication. - -Microsoft has been evangelizing the importance of enterprise-grade biometric sensors to the OEMs that create Windows 10 Mobile devices. These facial-recognition and iris-scanning sensors are fully supported by Windows Hello. - -In the future, Microsoft expects OEMs to produce even more advanced enterprise-grade biometric sensors and to continue integrating them into mobile devices. As a result, biometrics will become a commonplace authentication method as part of an MFA system. - -### Trusted Boot - -UEFI with Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the device, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system. - -When UEFI with Secure Boot verifies that it trusts the bootloader and starts Windows 10 Mobile, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (e.g., signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, and startup files. - -### Measured Boot - -In earlier versions of Windows, the biggest challenge with rootkits and bootkits was that they could frequently be undetectable to the client. Because they often started before Windows defenses and the antimalware solution – and they had system-level privileges – rootkits and bootkits could completely disguise themselves while continuing to access system resources. Although UEFI with Secure Boot and Trusted Boot could prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (e.g., if someone compromised the signature used to sign a boot component, such as a non-Microsoft driver, and used it to sign a malicious one). - -Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks. - -Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health. - -### Device Health Attestation - -Device Health Attestation (DHA) is a new feature in Windows 10 Mobile that helps prevent low-level malware infections. DHA uses a device’s TPM and firmware to measure the critical security properties of the device’s BIOS and Windows startup processes. These measurements are made in such a way that even on a system infected with kernel-level malware or a rootkit, an attacker is unlikely to spoof the properties. - -You can use DHA with Microsoft Intune (sold separately) or a third-party MDM solution to combine hardware-measured security properties with other device properties and gain an overall view of the device’s health and compliance state. This integration can be useful in a variety of scenarios, including detecting jailbroken devices, monitoring device compliance, generating compliance reports, alerting users or administrators, initiating corrective action on the device, and managing conditional access to resources such as Office 365. - -The example that follows shows how Windows 10 protective measures integrate and work with Intune and third-party MDM solutions. It demonstrates how the phone security architecture in Windows 10 Mobile can help you monitor and verify compliance and how the security and trust rooted in the device hardware can protect end-to-end corporate resources. - -When a user turns a phone on: -1. The Secure Boot feature in Windows 10 Mobile helps protect the startup sequence, allows the device to boot into a defined and trusted configuration, and loads a factory-trusted boot loader. -2. Windows 10 Mobile Trusted Boot takes control when the Secure Boot process is complete, verifying the digital signature of the Windows kernel and the components that are loaded and executed during the startup process. -3. In parallel to steps 1 and 2, the phone’s TPM runs independently in a hardware-protected security zone (isolated from the boot execution path, which monitors boot activities). It creates a protected, tamper-evident audit trail, signed with a secret that only the TPM can access. -4. Devices that are DHA-enabled send a copy of this audit trail to the Microsoft Health Attestation service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel. -5. HAS reviews the audit trails, issues an encrypted and signed report, and forwards it to the device. -6. From your DHA-enabled MDM solution, you can review the report in a protected, tamper-resistant, and tamper-evident communication channel to assess whether the device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with the organization’s security needs and policies. -Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider implementing a DHA-enabled MDM system like Intune. It can take advantage of the Windows 10 Mobile cloud-based health attestation server feature to detect and block devices infected with advanced malware. - -### Device Guard - -Device Guard is a feature set that consists of both hardware and software system integrity–hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model. - -All apps on Windows 10 Mobile must be digitally signed and come from Microsoft Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Microsoft Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile. - -Advanced hardware features, described above, drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot. - -### Address Space Layout Randomization - -One of the most common techniques used by attackers to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data reside, and overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations. - -Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts. - -![figure 3.](images/mobile-security-guide-figure3.png) - -Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system. - -### Data Execution Prevention - -Malware depends on its ability to insert a malicious payload into memory with the hope that an unsuspecting user will execute it later. While ASLR makes that more difficult, Windows 10 Mobile extends that protection to prevent malware from running if written to an area that you have allocated solely for the storage of information. Data Execution Prevention (DEP) substantially reduces the range of memory that malicious code can use for its benefit. DEP uses the **No execute** bit on modern CPUs to mark blocks of memory as read-only so that malware can’t use those blocks to execute malicious code. All Windows 10 and Windows 10 Mobile devices support DEP. - -### Windows heap - -The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use. -Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows: -- Internal data structures that the heap uses are better protected against memory corruption. -- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable. -- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app. - -### Memory reservations - -Microsoft reserves the lowest 64 KB of process memory for the operating system. Apps are no longer allowed to allocate that portion of the memory, making it more difficult for malware to overwrite critical system data structures in memory. - -### Control Flow Guard - -When Windows loads applications into memory, it allocates space to those applications based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships among the code locations are well known – they are written in the code itself. However, until Windows 10 Mobile, the operating system didn’t enforce the flow among these locations, giving attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run. - -Windows 10 Mobile mitigates this kind of threat through Control Flow Guard (CFG). When a trusted application that its creator compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If CFG doesn’t trust the location, it immediately terminates the application as a potential security risk. - -You cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when he or she compiles the application. Because browsers are a key entry point for attacks, Microsoft Edge takes full advantage of CFG. - -### Protected Processes - -Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required. -If malware is running on a system, you need to limit what it can do Protected Processes prevents untrusted processes from tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes broadly throughout the operating system. - -### AppContainer - -The Windows 10 Mobile security model is based on the principle of least privilege and uses isolation to achieve it. Every app and even portions of the operating system itself run inside their own isolated sandbox called an AppContainer – a secured isolation boundary within which an app and its processes can run. Each AppContainer is defined and implemented through a security policy. - -The security policy of a specific AppContainer defines the operating system capabilities that apps have access to from within the AppContainer, such as geographical location information, camera, microphone, networking, or sensors. - -A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time. - -The AppContainer concept is advantageous because it provides: -- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions. -- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent. -- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types. - -Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher. - -The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect. However, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, redundant vulnerability mitigations are needed. The next several topics describe some of the redundant mitigations in Windows 10 Mobile. - -### Microsoft Edge - -The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks. - -Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways: -- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. -- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. -- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design. - -## Summary - -Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper – multifactor authentication, data separation, and malware resistance – are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace. - -## Revision History - -November 2015 Updated for Windows 10 Mobile (version 1511) - -July 2016 Updated for Windows 10 Mobile Anniversary Update (version 1607) \ No newline at end of file From a4d9cb9276b99c616e0da6ba0b608b15d0e293fe Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Mon, 20 Dec 2021 18:26:49 -0500 Subject: [PATCH 049/122] acrolinx >80 --- .../vpn/vpn-profile-options.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 7f144e6146..16ce6d3e88 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -30,32 +30,32 @@ The following table lists the VPN settings and whether the setting can be config | Profile setting | Can be configured in Intune and Configuration Manager | | --- | --- | -| Connection type | yes | -| Routing: split-tunnel routes | yes, except exclusion routes | -| Routing: forced-tunnel | yes | -| Authentication (EAP) | yes, if connection type is built-in | -| Conditional access | yes | -| Name resolution: NRPT | yes | -| Name resolution: DNS suffix | no | -| Name resolution: persistent | no | -| Auto-trigger: app trigger | yes | -| Auto-trigger: name trigger | yes | -| Auto-trigger: Always On | yes | -| Auto-trigger: trusted network detection | no | -| LockDown | no | -| Windows Information Protection (WIP) | yes | -| Traffic filters | yes | -| Proxy settings | yes, by PAC/WPAD file or server and port | +| Connection type | Yes | +| Routing: split-tunnel routes | Yes, except exclusion routes | +| Routing: forced-tunnel | Yes | +| Authentication (EAP) | Yes, if connection type is built in | +| Conditional access | Yes | +| Name resolution: NRPT | Yes | +| Name resolution: DNS suffix | No | +| Name resolution: persistent | No | +| Auto-trigger: app trigger | Yes | +| Auto-trigger: name trigger | Yes | +| Auto-trigger: Always On | Yes | +| Auto-trigger: trusted network detection | No | +| LockDown | No | +| Windows Information Protection (WIP) | Yes | +| Traffic filters | Yes | +| Proxy settings | Yes, by PAC/WPAD file or server and port | > [!NOTE] > VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used. -The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) topic. +The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that are not yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article. ## Sample Native VPN profile -The following is a sample Native VPN profile. This blob would fall under the ProfileXML node. +The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node. ```xml @@ -221,7 +221,7 @@ The following is a sample Native VPN profile. This blob would fall under the Pro ## Sample plug-in VPN profile -The following is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. +The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. ```xml @@ -331,7 +331,7 @@ After you configure the settings that you want using ProfileXML, you can create - [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp) - [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10)) -## Related topics +## Related articles - [VPN technical guide](vpn-guide.md) - [VPN connection types](vpn-connection-type.md) From 99a778e4fc48fb805db12d8bfd3f370dac82458f Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 21 Dec 2021 10:37:27 +0530 Subject: [PATCH 050/122] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index edc685637d..3cb2aee082 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1488,7 +1488,7 @@ Default value is 7. -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) is configured but this policy is not, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used. From 5515a808d5289f184ad27c25718c4da23762cdb7 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 21 Dec 2021 17:32:19 +0530 Subject: [PATCH 051/122] added correct link as per user report #10224 , so i added correct link. --- windows/security/identity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index 7e2e8ca4b9..f94bc0578b 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords, | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | -| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-phone). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| -| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| \ No newline at end of file +| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| From c2a8a31b485e450efcc1584a583307cd91997f9f Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 21 Dec 2021 17:49:18 +0530 Subject: [PATCH 052/122] corrected word as per user report #10227 , so i corrected, after verifying with windows 11 build no 22000.376 admx templates --- windows/client-management/mdm/policy-csp-admx-terminalserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 1181f4bd47..12f70d7328 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -78,7 +78,7 @@ Time zone redirection is possible only when connecting to at least a Microsoft W ADMX Info: - GP Friendly name: *Allow time zone redirection* -- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP name: *TS_TIME_ZONE* - GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* - GP ADMX file name: *TerminalServer.admx* From a1e180db5fdd57f96bde96c5d38b4d280c2919ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:02:30 -0800 Subject: [PATCH 053/122] Update policy-csp-admx-terminalserver.md --- windows/client-management/mdm/policy-csp-admx-terminalserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 12f70d7328..77b8035989 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 09/23/2020 +ms.date: 12/21/2021 ms.reviewer: manager: dansimp --- From f499618245f3d3b5adde46515714636d29400627 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:04:57 -0800 Subject: [PATCH 054/122] Update identity.md --- windows/security/identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index f94bc0578b..bf6a97473a 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords, | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | -| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-phone). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| | Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| From 630d5b52dfbb678ec931007fb8e126f614916d7c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:21 -0800 Subject: [PATCH 055/122] Update special-identities.md --- .../identity-protection/access-control/special-identities.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index c1871a8804..242a5fc876 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -2,6 +2,7 @@ title: Special Identities (Windows 10) description: Special Identities ms.prod: m365-security +ms.technology: windows-sec ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/12/2021 +ms.date: 12/21/2021 ms.reviewer: --- From 5f95eb58403f04be49522674e6d1026c0a07f6ee Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:41 -0800 Subject: [PATCH 056/122] Update windows/security/identity-protection/access-control/special-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 242a5fc876..3958382eee 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -234,7 +234,7 @@ Membership is controlled by the operating system. |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| -## Fresh public key identity +## Fresh Public Key Identity A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. From e117fe7f5971d92ee74ac04299f403ed5dc9efbe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:49 -0800 Subject: [PATCH 057/122] Update windows/security/identity-protection/access-control/special-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 3958382eee..66754be796 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -261,7 +261,7 @@ Any user who is logged on to the local system has the Interactive identity. This ## IUSR -Internet Information Services (IIS) use this account by default whenever anonymous authentication is enabled. +Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled. | Attribute | Value | | :--: | :--: | From 4716bb90fce7f6f7a84d0a412a38f151cd564c92 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:11:01 -0800 Subject: [PATCH 058/122] Update windows/security/identity-protection/access-control/security-identifiers.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/security-identifiers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index 6abe9b1c87..9a30c84314 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs. | S-1-5 | NT Authority | A SID that represents an identifier authority. | | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. +The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. | Identifier Authority | Value | SID String Prefix | | - | - | - | From 6d7c16916d7574104182fe6860e299c931240943 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 22 Dec 2021 11:25:19 +0530 Subject: [PATCH 059/122] Update policy-csp-update.md --- .../mdm/policy-csp-update.md | 76 ------------------- 1 file changed, 76 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3cb2aee082..c5c1634341 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1438,82 +1438,6 @@ Default value is 7.

- -**Update/ConfigureDeadlineGracePeriod** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineGracePeriod* -- GP element: *ConfigureDeadlineGracePeriod* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update. - -Default value is 2. - - - - - - - - - -
**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** From 5d68c92535cd1dc4936131861beb488aef5e7929 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 22 Dec 2021 12:52:20 +0530 Subject: [PATCH 060/122] Added metadata ms.custom attributes - Added ms.custom:- intro-overview in the metadata as per task 5668596 (part-1 description) - Added ms.custom:- intro-get-started in the metadata as per task 5668596 (part-2 description) - Added ms.custom:- intro-hub-or-landing in the metadata as per task 5668596 (part-3 description) --- windows/security/index.yml | 1 + windows/security/zero-trust-windows-device-health.md | 1 + windows/whats-new/whats-new-windows-10-version-21H2.md | 1 + windows/whats-new/windows-11-whats-new.md | 1 + 4 files changed, 4 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 8828c44e74..9acb0672a7 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,6 +11,7 @@ metadata: ms.collection: - m365-security-compliance - highpri + ms.custom: intro-hub-or-landing author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. ms.date: 09/20/2021 diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 1462084e1e..8b9b5e1d73 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security author: dansimp ms.collection: M365-security-compliance +ms.custom: intro-overview ms.prod: m365-security ms.technology: windows-sec --- diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index faadc0536b..7c111593df 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -11,6 +11,7 @@ author: MandiOhlinger ms.localizationpriority: medium ms.topic: article ms.collection: highpri +ms.custom: intro-overview --- # What's new in Windows 10, version 21H2 diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md index f3b21b2f87..fbe9e7108d 100644 --- a/windows/whats-new/windows-11-whats-new.md +++ b/windows/whats-new/windows-11-whats-new.md @@ -13,6 +13,7 @@ ms.localizationpriority: medium audience: itpro ms.topic: article ms.collection: highpri +ms.custom: intro-overview --- # What's new in Windows 11 From 787d172fe981a32f93c125f467e33f7b783b0f4c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 24 Dec 2021 10:34:36 +0500 Subject: [PATCH 061/122] Update the link As the link was not working so I have updated the link. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10028 --- windows/deployment/deploy-whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 287142a49d..df5395a3b5 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -221,4 +221,4 @@ For more information, see the following guides: [Windows 10 release information](/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file +[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
From 04b321d7ae8e78ebbd26285c70f600a5cc608b33 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 24 Dec 2021 15:28:07 +0500 Subject: [PATCH 062/122] Update windows/deployment/deploy-whats-new.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/deploy-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index df5395a3b5..a0c717c24f 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. From 2698427912891b5a62d9623ee3845d2dd94c6b62 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 24 Dec 2021 21:29:54 +0500 Subject: [PATCH 063/122] Update credential-guard-requirements.md --- .../credential-guard/credential-guard-requirements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 59826162ce..3b6e597559 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -21,8 +21,8 @@ ms.date: 12/16/2021 ## Applies to -- Windows 11 Professional and Enterprise -- Windows 10 Professional and Enterprise +- Windows 11 +- Windows 10 - Windows Server 2019 - Windows Server 2016 @@ -105,7 +105,7 @@ The following tables describe baseline protections, plus protections for improve |Hardware: **Trusted Platform Module (TPM)**|**Requirement**:
- TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.| |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**:
- See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.| |Firmware: **Secure firmware update process**|**Requirements**:
- UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| -|Software: Qualified **Windows operating system**|**Requirement**:
- At least Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| +|Software: Qualified **Windows operating system**|**Requirement**:
- At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| > [!IMPORTANT] > Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. From 1d980efbf9cf20f0fe508b2cb9d92c48807458af Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 25 Dec 2021 22:16:44 +0500 Subject: [PATCH 064/122] Update hello-hybrid-key-trust-prereqs.md --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index faa8dbee77..29d57a36c6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -69,7 +69,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller). * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder. -* The certificate Subject section should contain the directory path of the server object (the distinguished name). +* Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). @@ -167,4 +167,4 @@ For federated and non-federated environments, start with **Configure Windows Hel 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) From 186842eafa031acdd3efc4c01b167d14528bbc62 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 27 Dec 2021 19:26:02 +0500 Subject: [PATCH 065/122] Update tpm-fundamentals.md --- .../tpm/tpm-fundamentals.md | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 844153ada6..148803140c 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -106,11 +106,11 @@ Because many entities can use the TPM, a single authorization success cannot res TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. -For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. +For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. -Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. +Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. -Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours. +Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes. The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. @@ -124,20 +124,9 @@ Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. -The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. +Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. -The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. -For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. -A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. -This totals a maximum of about 4415 guesses per year. -If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. - -Increasing the PIN length requires a greater number of guesses for an attacker. -In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. - -Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. -To help organizations with the transition, with Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, Windows 10, version 1709 and higher, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. -If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. +Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, (Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0)[/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20] GPO should be enabled. ### TPM-based smart cards @@ -147,7 +136,7 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur - Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. -- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password. +- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and password. ## Related topics From 811386c89f4ea6358b63ac9a68e5d1c88e056caa Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Mon, 27 Dec 2021 10:05:31 -0800 Subject: [PATCH 066/122] updated link change submitted via public repo PR #10233 --- windows/deployment/deploy-whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 287142a49d..a0c717c24f 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -221,4 +221,4 @@ For more information, see the following guides: [Windows 10 release information](/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file +[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
From 7084a1b5cd3c2cdd32825da79349205127f25bcf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Dec 2021 12:21:20 -0800 Subject: [PATCH 067/122] Update tpm-fundamentals.md --- .../security/information-protection/tpm/tpm-fundamentals.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 148803140c..0ee935611c 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -15,7 +15,7 @@ ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 12/27/2021 --- # TPM fundamentals @@ -23,7 +23,7 @@ ms.date: 09/06/2021 **Applies to** - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. From 66a8d6a9c847ebabc63a5b8b70105bf226a2634c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Dec 2021 12:22:39 -0800 Subject: [PATCH 068/122] Update windows/security/information-protection/tpm/tpm-fundamentals.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/information-protection/tpm/tpm-fundamentals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 0ee935611c..972a59fcc1 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -126,7 +126,7 @@ Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. -Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, (Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0)[/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20] GPO should be enabled. +Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). ### TPM-based smart cards From eaba412c54f9eeaada488b0edc367e1e3582a7fa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Dec 2021 12:24:33 -0800 Subject: [PATCH 069/122] Update credential-guard-requirements.md --- .../credential-guard/credential-guard-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 3b6e597559..4762a25d8b 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -14,7 +14,7 @@ ms.collection: - M365-identity-device-management - highpri ms.topic: article -ms.date: 12/16/2021 +ms.date: 12/27/2021 --- # Windows Defender Credential Guard: Requirements From 003a754dd223f50919de154eb2af08b237876b30 Mon Sep 17 00:00:00 2001 From: v-dihans Date: Mon, 27 Dec 2021 17:00:58 -0700 Subject: [PATCH 070/122] update image file names --- ...ew_blade.PNG => UC-workspace-overview-blade.PNG} | Bin ...ew_blade.png => uc-workspace-overview-blade.png} | Bin 2 files changed, 0 insertions(+), 0 deletions(-) rename windows/deployment/images/{UC_workspace_overview_blade.PNG => UC-workspace-overview-blade.PNG} (100%) rename windows/deployment/update/images/{uc_workspace_overview_blade.png => uc-workspace-overview-blade.png} (100%) diff --git a/windows/deployment/images/UC_workspace_overview_blade.PNG b/windows/deployment/images/UC-workspace-overview-blade.PNG similarity index 100% rename from windows/deployment/images/UC_workspace_overview_blade.PNG rename to windows/deployment/images/UC-workspace-overview-blade.PNG diff --git a/windows/deployment/update/images/uc_workspace_overview_blade.png b/windows/deployment/update/images/uc-workspace-overview-blade.png similarity index 100% rename from windows/deployment/update/images/uc_workspace_overview_blade.png rename to windows/deployment/update/images/uc-workspace-overview-blade.png From daffe60f33ff9991457f2b4829df7213749d4557 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 27 Dec 2021 17:05:52 -0700 Subject: [PATCH 071/122] Update update-compliance-using.md --- windows/deployment/update/update-compliance-using.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 6aa6b4a6de..3537d1c157 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -51,7 +51,7 @@ When you select this tile, you will be redirected to the Update Compliance works ### Overview blade -![The Overview blade.](images/UC_workspace_overview_blade.png) +![The Overview blade.](images/uc-workspace-overview-blade.png) Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client. From a8cea7e8f39b79cfb20d0936548b76a5dd3581f1 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 29 Dec 2021 11:15:41 +0530 Subject: [PATCH 072/122] Revert "Update policy-csp-update.md" This reverts commit 6d7c16916d7574104182fe6860e299c931240943. --- .../mdm/policy-csp-update.md | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index c5c1634341..3cb2aee082 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1438,6 +1438,82 @@ Default value is 7.
+ +**Update/ConfigureDeadlineGracePeriod** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used. + + + +ADMX Info: +- GP Friendly name: *Specify deadlines for automatic updates and restarts* +- GP name: *ConfigureDeadlineGracePeriod* +- GP element: *ConfigureDeadlineGracePeriod* +- GP path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update. + +Default value is 2. + + + + + + + + + +
**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** From a62084080df405af427486ecc4af50baaf8ab1af Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 29 Dec 2021 15:04:56 +0500 Subject: [PATCH 073/122] Correction in the sentance As there was confusion in the sentence, I have corrected this as WSL is available from build 19041 and higher. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10146 --- windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 6364bc3fd1..ac90bf888f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -237,7 +237,7 @@ Microsoft Edge kiosk mode offers two lockdown experiences of the browser so orga ## Windows Subsystem for Linux -Windows Subsystem for Linux (WSL) is be available in-box. +Windows Subsystem for Linux (WSL) is available in-box. ## Networking From 7df61c5643b2381a5b433ccb9cb64ced6880042f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Dec 2021 11:32:06 -0800 Subject: [PATCH 074/122] Update policy-csp-defender.md --- windows/client-management/mdm/policy-csp-defender.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index b062db74a9..d8c5c80c8c 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 01/08/2020 +ms.date: 12/29/2021 ms.reviewer: manager: dansimp ms.collection: highpri From 6eb3154a08d2dba2f155e3681e5b1d0f38bcd837 Mon Sep 17 00:00:00 2001 From: takondo Date: Thu, 30 Dec 2021 05:07:17 +0900 Subject: [PATCH 075/122] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md 1. Fix typo in "Notes" section under "Possible values" and add wording to make condition clearer. 2. This setting is enabled by default on Windows 10 1607 and newer. Make changes accordingly. 3. Update [Best practices]. Currently, the [best practices] state that the policy should be disabled. However, this is the best practice from Server 2008 R2 era and is old suggestion. The [Security considerations] section addresses this and specifies that the policy should be enabled for hybrid environments, but the [Best practices] section has not been updated. --- ...requests-to-this-computer-to-use-online-identities.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 7b4fd7fe4b..b41c905d78 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -34,14 +34,14 @@ When devices are configured to accept authentication requests by using online ID > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 up to Windows 10 1607. This policy is enabled by default on Windows 10 1607 and newer. ### Possible values - **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!NOTE] - > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. + > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. - **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. @@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD joined environments. ### Location @@ -66,7 +66,8 @@ The following table lists the effective default values for this policy. Default | Stand-alone server default settings | Not defined| | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| -| Effective GPO default settings on client computers | Disabled| +| Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| +| Effective GPO default settings on client computers Windows 10 1607 and newer | Enabled| ## Security considerations From 8a8fe69b27584a821a6c0cfc7a28052c71f4b0e6 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 31 Dec 2021 09:55:22 +0500 Subject: [PATCH 076/122] Update quick-assist.md --- windows/client-management/quick-assist.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 0cca91cc74..6407654e40 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -19,6 +19,9 @@ Quick Assist is a Windows application that enables a person to share their devic All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. +> [!NOTE] +> In case helper and sharer use different keyboard layouts or mouse settings, the ones from sharer are used during the session. + ### Authentication The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time. From a9289ad95f211dd7021eb3f3fa63244fb52db5f9 Mon Sep 17 00:00:00 2001 From: v-chodges <96920257+v-chodges@users.noreply.github.com> Date: Fri, 31 Dec 2021 10:49:56 -0600 Subject: [PATCH 077/122] Edit Notes: ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue It is recommended not to set the value below 2 days to avoid machines to go out of date. --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index ea7d8bca47..fba7c6f419 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,6 +3693,8 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +It is recommended not to set the value below 2 days to avoid machines to go out of date. + If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. From ffcfb6ca644c80a37ee4ff6a3d6a6d5581a55fec Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 1 Jan 2022 07:07:23 +0500 Subject: [PATCH 078/122] Update in the document As intune is now the Endpoint protection manager, so updated the content. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10173 --- ...ll-a-windows-10-device-automatically-using-group-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index c77b8f6df6..238ff184f9 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -50,11 +50,11 @@ For this policy to work, you must verify that the MDM service provider allows th To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: -1. Verify that the user who is going to enroll the device has a valid Intune license. +1. Verify that the user who is going to enroll the device has a valid Endpoint Portection Manager license. :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) From 5e39f46a6950dbd73bcd4002c85f8ed92d3eaa91 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 2 Jan 2022 10:04:25 +0500 Subject: [PATCH 079/122] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 238ff184f9..9fa74b61f9 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -50,7 +50,7 @@ For this policy to work, you must verify that the MDM service provider allows th To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: -1. Verify that the user who is going to enroll the device has a valid Endpoint Portection Manager license. +1. Verify that the user who is going to enroll the device has a valid Endpoint Protection Manager license. :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: From 4af655ff21e345b79adecc33bbd1486a6c85a5ea Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 3 Jan 2022 12:16:24 +0530 Subject: [PATCH 080/122] Update --- windows/client-management/mdm/policy-csp-update.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3cb2aee082..35224e6be7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1582,6 +1582,7 @@ ADMX Info: Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update. Default value is 2. + From ff2ede5e39589e68a2e10b70e10a248d966c4a5a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 3 Jan 2022 13:27:01 +0530 Subject: [PATCH 081/122] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 35224e6be7..1fab3d2f18 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -271,7 +271,7 @@ manager: dansimp -Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. +Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12-hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. @@ -414,7 +414,7 @@ ADMX Info: -Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. +Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12-hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. @@ -506,8 +506,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart.user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. - 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. From f834eca6654df5316a86d4e615fe5ae804a1fe63 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 3 Jan 2022 15:15:14 +0530 Subject: [PATCH 082/122] Update policy-csp-update.md --- .../mdm/policy-csp-update.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3a15308984..42de3444a7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1128,6 +1128,14 @@ Default value is 2. +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +
@@ -1142,6 +1150,22 @@ Default value is 2. +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. + + + +ADMX Info: +- GP Friendly name: *Specify deadlines for automatic updates and restarts* +- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update. + +Default value is 2. From f61aa2010aac7960a3099b1ab0622d99c532fb4c Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 3 Jan 2022 13:21:47 +0200 Subject: [PATCH 083/122] Update description https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8840 --- windows/security/threat-protection/auditing/event-4625.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 61e190ba1a..548b217e6d 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out. +This event is logged for any logon failure. It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation. @@ -293,4 +293,4 @@ For 4625(F): An account failed to log on. | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This issue is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | \ No newline at end of file + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | From 9d93b1f9da96d49263654fc185e43ce24d686f11 Mon Sep 17 00:00:00 2001 From: v-chodges <96920257+v-chodges@users.noreply.github.com> Date: Mon, 3 Jan 2022 08:49:56 -0600 Subject: [PATCH 084/122] Update windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index fba7c6f419..e8f77fefa1 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,7 +3693,7 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. -It is recommended not to set the value below 2 days to avoid machines to go out of date. +We do not recommend setting the value below two days to avoid machines going out of date. If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. From 4329df31d1c583c512a076d3da820ee3b511e879 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 00:17:57 +0530 Subject: [PATCH 085/122] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 42de3444a7..054a69cf8a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1150,7 +1150,7 @@ Default value is 2. -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. From 07db9f0fcfdb2b25bfb7e68842c0c914b416edd5 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 00:29:49 +0530 Subject: [PATCH 086/122] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 054a69cf8a..18b041249a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1203,7 +1203,7 @@ Default value is 2. -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline. From 8b920d8805e84f941e89d44857a84dd56550def5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:13:43 -0800 Subject: [PATCH 087/122] Update event-4625.md --- windows/security/threat-protection/auditing/event-4625.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 548b217e6d..44603fc006 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 09/07/2021 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp ms.author: dansimp From 09ef58e0256c540f2ad52efa512e7d884637b013 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:17:25 -0800 Subject: [PATCH 088/122] Update enroll-a-windows-10-device-automatically-using-group-policy.md --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9fa74b61f9..1bb3dbc3a7 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 12/03/2021 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp ms.collection: highpri From cd460bcaeb13386e9262ef74fd1fd039d1cde03f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:19:15 -0800 Subject: [PATCH 089/122] Update policy-csp-admx-microsoftdefenderantivirus.md --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index e8f77fefa1..08bfd199f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 12/02/2020 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp --- From 7c8ae05545f782609276cab7aff3b1acae60fd0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:20:40 -0800 Subject: [PATCH 090/122] Update policy-csp-admx-microsoftdefenderantivirus.md --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 08bfd199f0..f115057a2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,7 +3693,7 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. -We do not recommend setting the value below two days to avoid machines going out of date. +We do not recommend setting the value to less than 2 days to prevent machines from going out of date. If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. From 305cc2e50f3eb711a3db8bb8cf4899fd889268dd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:21:46 -0800 Subject: [PATCH 091/122] Update windows/client-management/quick-assist.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/quick-assist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 6407654e40..f63400cfaf 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -20,7 +20,7 @@ Quick Assist is a Windows application that enables a person to share their devic All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. > [!NOTE] -> In case helper and sharer use different keyboard layouts or mouse settings, the ones from sharer are used during the session. +> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. ### Authentication From 5cc0c739b032790e5c3a2675b1516de531de7dfe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:15 -0800 Subject: [PATCH 092/122] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index b41c905d78..4767297d8b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -34,7 +34,7 @@ When devices are configured to accept authentication requests by using online ID > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 up to Windows 10 1607. This policy is enabled by default on Windows 10 1607 and newer. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later. ### Possible values From a45b1464f64435acda70de9d1c25373d3b18a98f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:33 -0800 Subject: [PATCH 093/122] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 4767297d8b..5dbbd249c2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -67,7 +67,7 @@ The following table lists the effective default values for this policy. Default | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| | Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| -| Effective GPO default settings on client computers Windows 10 1607 and newer | Enabled| +| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| ## Security considerations From a4505b95a7dd99ac0aa17d3b3167b685c78c8ff2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:39 -0800 Subject: [PATCH 094/122] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 5dbbd249c2..cef443df16 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -66,7 +66,7 @@ The following table lists the effective default values for this policy. Default | Stand-alone server default settings | Not defined| | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| -| Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| +| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled| | Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| ## Security considerations From 69a58e1afe6c0181e4cbc9e0b690622935fe75dd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:46 -0800 Subject: [PATCH 095/122] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index cef443df16..17e7ba0bfb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD joined environments. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD-joined environments. ### Location From 2af534ff2d4c9b7c99a58e75da592ad8d3fe7f53 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:24:32 -0800 Subject: [PATCH 096/122] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 17e7ba0bfb..e89957070a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 01/03/2022 ms.technology: windows-sec --- From 9ea02ae7357144c883767173c6801d4696835136 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:05:18 +0530 Subject: [PATCH 097/122] Update policy-csp-applicationmanagement.md --- .../mdm/policy-csp-applicationmanagement.md | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 2fdd8c06c8..532d154577 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -20,6 +20,9 @@ manager: dansimp ## ApplicationManagement policies
+
+ ApplicationManagement/AllowAutomaticAppArchiving +
ApplicationManagement/AllowAllTrustedApps
@@ -65,6 +68,62 @@ manager: dansimp
+
+ + +**ApplicationManagement/AllowAutomaticAppArchiving** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +This policy setting controls whether the system can archive infrequently used apps. + +- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. + +- If you disable this policy setting, then the system will not archive any apps. + +If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. + + + +ADMX Info: +- GP Friendly name: *Allow all trusted apps to install* +- GP name: *AllowAutomaticAppArchiving* +- GP path: *Windows Components/App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + +The following list shows the supported values: + +- 0 - Explicit disable. +- 1 - Explicit enable. +- 65535 (default) - Not configured. + + + +
From 509824dd4d99bcd21c9ec585e537657a0a417195 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:20:10 +0530 Subject: [PATCH 098/122] Update policy-csp-authentication.md --- .../mdm/policy-csp-authentication.md | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 78fee5443a..7344f3ddf4 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -39,6 +39,9 @@ manager: dansimp
Authentication/ConfigureWebSignInAllowedUrls
+
+ Authentication/ConfigureWebcamAccessDomainNames +
Authentication/EnableFastFirstSignIn
@@ -307,6 +310,55 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res **Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". + + + + + + + + + + + + +
+ + +**Authentication/ConfigureWebcamAccessDomainNames** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios. + +Web Sign-in is only supported on Azure AD Joined PCs. + +**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com". + + From 3c2922e2eb9ddb7414e9cbe883713c7223598af2 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:37:06 +0530 Subject: [PATCH 099/122] Update policy-csp-devicelock.md --- .../mdm/policy-csp-devicelock.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 64a8ef9104..d32b7868bc 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -28,6 +28,9 @@ manager: dansimp
DeviceLock/AllowSimpleDevicePassword
+
+ DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +
DeviceLock/AlphanumericDevicePasswordRequired
@@ -152,6 +155,47 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + + +The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + +
+ + +**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + The following list shows the supported values: From bc51f80df3a28b7dcae913e13ff1e7afc6ca443c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 3 Jan 2022 12:08:54 -0800 Subject: [PATCH 100/122] updating download link --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e5f880e174..d4c8f8e591 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -31,7 +31,7 @@ ms.technology: privacy This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://download.microsoft.com/download/D/9/0/D905766D-FEDA-43E5-86ED-8987CEBD8D89/WindowsRTLFB.zip) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. > [!IMPORTANT] > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices. From 463e8c1645953af6b6b409c4ad8204e100928977 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:50:40 +0530 Subject: [PATCH 101/122] Updated --- .../policy-configuration-service-provider.md | 8 ++ .../client-management/mdm/policy-csp-eap.md | 83 +++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 93 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-eap.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f88a7df806..a8079fdff4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6181,6 +6181,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### EAP policies + +
+
+ EAP/AllowTLS1_3 +
+
+ ### Education policies
diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md new file mode 100644 index 0000000000..08c0a773c6 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -0,0 +1,83 @@ +--- +title: Policy CSP - EAP +description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - EAP + + +
+ + +## EAP policies + +
+
+ EAP/AllowTLS1_3 +
+
+ + +
+ + +**EAP/AllowTLS1_3<** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication. + + + +ADMX Info: +- GP Friendly name: *AllowTLS1_3* +- GP name: *AllowTLS1_3* +- GP path: *Windows Components/EAP* +- GP ADMX file name: *EAP.admx* + + + +The following list shows the supported values: +- 0 – Use of TLS version 1.3 is not allowed for authentication. + +- 1 (default) – Use of TLS version 1.3 is allowed for authentication. + + + + +
+ + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 87673ea6e7..e0698232a0 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -701,6 +701,8 @@ items: href: policy-csp-display.md - name: DmaGuard href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md - name: Education href: policy-csp-education.md - name: EnterpriseCloudPrint From 3d578d806a94657b00b9934be9824f57b48a34a8 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 4 Jan 2022 11:41:34 +0530 Subject: [PATCH 102/122] Removed Audit/Warn line. --- windows/client-management/mdm/policy-csp-storage.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index da73c643b4..5d43f8f336 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -612,8 +612,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -674,8 +672,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -736,8 +732,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. @@ -798,8 +792,6 @@ This policy will do the enforcement over the following protocols which are used If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. -Audit/Warn – Audit/Warn modes with customer justifications. - >[!NOTE] > WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. From abe2470a1ffba8b4861bbb66f31ee26cb21cae5e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 14:39:49 +0530 Subject: [PATCH 103/122] Updated --- .../policy-configuration-service-provider.md | 14 ++ .../mdm/policy-csp-humanpresence.md | 190 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 206 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-humanpresence.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f88a7df806..0579418cbd 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6371,6 +6371,20 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### HumanPresence policies + +
+
+ HumanPresence/ForceInstantLock +
+
+ HumanPresence/ForceInstantWake +
+
+ HumanPresence/ForceLockTimeout +
+
+ ### InternetExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md new file mode 100644 index 0000000000..f9d5c24842 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -0,0 +1,190 @@ +--- +title: Policy CSP - HumanPresence +description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - HumanPresence + + + +
+ + +## HumanPresence policies + +
+
+ HumanPresence/ForceInstantLock +
+
+ HumanPresence/ForceInstantWake +
+
+ HumanPresence/ForceLockTimeout +
+
+ + +
+ + +**HumanPresence/ForceInstantLock** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether the device can lock when a human presence sensor detects a human. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceInstantLock* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + +
+ + +**HumanPresence/ForceInstantWake** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies whether the device can lock when a human presence sensor detects a human. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceInstantWake* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + +
+ + +**HumanPresence/ForceLockTimeout** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy specifies at what distance the sensor wakes up when it sees a human in seconds. + + + +ADMX Info: +- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* +- GP name: *ForceLockTimeout* +- GP path: *Windows Components/HumanPresence* +- GP ADMX file name: *HumanPresence.admx* + + + +Integer value that specifies whether the device can lock when a human presence sensor detects a human. + +The following list shows the supported values: + +- 120 = 120 seconds +- 30 = 30 seconds +- 10 = 10 seconds +- 0 = DefaultToUserChoice +- Defaults to 0 + + + +
+ + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 87673ea6e7..51ac7ce80f 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -721,6 +721,8 @@ items: href: policy-csp-games.md - name: Handwriting href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md - name: InternetExplorer href: policy-csp-internetexplorer.md - name: Kerberos From 94656af0051564618c6705b00962671fee4544e1 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 4 Jan 2022 08:06:18 -0800 Subject: [PATCH 104/122] Update policy-csp-notifications.md update sensitive language term --- windows/client-management/mdm/policy-csp-notifications.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 3be6f32d76..f2a1383e75 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -265,7 +265,7 @@ This policy setting determines which Windows Notification Service endpoint will If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. -Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also whitelisted from your firewall settings. +Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings. @@ -284,4 +284,4 @@ If the policy is not specified, we will default our connection to client.wns.win
- \ No newline at end of file + From 9340a272609d566ae577b2fafb2930c83a21732c Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 00:33:08 +0530 Subject: [PATCH 105/122] Updated --- .../mdm/policy-csp-admx-taskbar.md | 2 +- .../mdm/policy-csp-admx-terminalserver.md | 34 ++++++++++--------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index a22e45d37f..2abbb2c51b 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1115,5 +1115,5 @@ ADMX Info:
-p + diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 61b3d28bd5..a2303746fc 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -2766,7 +2766,7 @@ ADMX Info: -This policy determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. +This policy determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. @@ -2812,7 +2812,7 @@ ADMX Info: -This policy determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. +This policy determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. @@ -2915,9 +2915,10 @@ Therefore, you must use the same farm name for all RD Session Host servers in th - If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. ->[!NOTES] -> 1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. -> 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +> [!NOTE] +> This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. + +For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. @@ -2966,7 +2967,7 @@ This policy setting allows you to specify the redirection method to use when a c If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. ->[!NOTES] +> [!NOTE] > For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. @@ -3014,12 +3015,13 @@ The specified server must be running the Remote Desktop Connection Broker servic - If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. - If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. - ->[!NOTES] -> 1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. -> 2. This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. -> 3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. + +> [!NOTE] +> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +> This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. +> To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. + @@ -3067,11 +3069,11 @@ This policy setting specifies whether to require the use of a specific security The following security methods are available: -1. * Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -2. * RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -3. * SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. +- **Negotiate**: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. +- **RDP**: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. +- **SSL (TLS 1.0)**: The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. -- If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. +If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. @@ -3560,7 +3562,7 @@ ADMX Info: -This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. +This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available network bandwidth. If you enable this policy setting, the RemoteFX experience could be set to one of the following options: 1. Let the system choose the experience for the network condition From c159a7b11dbb67cb512bef4d82b3a41086309bfd Mon Sep 17 00:00:00 2001 From: sravanigannavarapu <95500630+sravanigannavarapu@users.noreply.github.com> Date: Tue, 4 Jan 2022 15:34:45 -0800 Subject: [PATCH 106/122] Update audit-registry.md --- windows/security/threat-protection/auditing/audit-registry.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 306872fcbc..38c9f81091 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -49,5 +49,4 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] > On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". - -Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. +> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From e666c74fd8cbe0fa83566a98f6c8b73f67701471 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 5 Jan 2022 10:39:03 +0530 Subject: [PATCH 107/122] Removed the numbers and added bullets --- .../mdm/policy-csp-admx-terminalserver.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index a2303746fc..a1920a3b5e 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -329,7 +329,7 @@ manager: dansimp This policy specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. -By default, a maximum of twenty reconnection attempts are made at five second intervals. If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. +By default, a maximum of 20 reconnection attempts are made at five-second intervals. If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. If the status is set to Disabled, automatic reconnection of clients is prohibited. If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. @@ -498,7 +498,7 @@ ADMX Info: -This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). @@ -3268,11 +3268,11 @@ This policy setting allows you to specify whether the client will establish a co - If you enable this policy setting, you must specify one of the following settings: - 1. Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. + - Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. - 2. Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. + - Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. - 3. Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. + - Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. - If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. From 0d604646a85dc74575cb1609e0e7622c84ba23db Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:30:41 +0530 Subject: [PATCH 108/122] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index f9d5c24842..98fafc4e6d 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -46,8 +46,8 @@ manager: dansimp |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
From e669287ba0f3a44ab5bc3c5c11b3d51b319b13ee Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:34:18 +0530 Subject: [PATCH 109/122] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 98fafc4e6d..9ce283864c 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -95,8 +95,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
@@ -144,8 +144,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
From 138fd479d992a3dae186013f3df28b880db1c1fc Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:41:22 +0530 Subject: [PATCH 110/122] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 9ce283864c..4a902246b7 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -95,8 +95,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +|Enterprise|No|No| +|Education|No|No|
@@ -144,8 +144,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +|Enterprise|No|No| +|Education|No|No|
From 0b923c92302e773bd31594ee428f8e579940ea1e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 15:46:17 +0530 Subject: [PATCH 111/122] Update policy-csp-humanpresence.md --- windows/client-management/mdm/policy-csp-humanpresence.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 4a902246b7..9ce283864c 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -95,8 +95,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|No| -|Education|No|No| +|Enterprise|No|Yes| +|Education|No|Yes|
@@ -144,8 +144,8 @@ The following list shows the supported values: |Home|No|No| |Pro|No|No| |Business|No|No| -|Enterprise|No|No| -|Education|No|No| +|Enterprise|No|Yes| +|Education|No|Yes|
From dc2d02c4b0558776ab1ca484eb869f7eabd4e524 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 17:51:09 +0530 Subject: [PATCH 112/122] Update policy-csp-eap.md --- windows/client-management/mdm/policy-csp-eap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 08c0a773c6..4a50535a07 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -30,7 +30,7 @@ manager: dansimp
-**EAP/AllowTLS1_3<** +**EAP/AllowTLS1_3** From 2cee54dd4a417f4358dd836c4e09dc6025fd67de Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 17:53:59 +0530 Subject: [PATCH 113/122] Update policy-csp-devicelock.md --- windows/client-management/mdm/policy-csp-devicelock.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index d32b7868bc..ebd5365b45 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -152,15 +152,14 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th > This policy must be wrapped in an Atomic command. - For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 (default) – Blocked +- 1 – Allowed From df09430ff830a7ed40fc6697f4d031da6a43e6d7 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 19:56:16 +0530 Subject: [PATCH 114/122] Update policy-csp-power.md --- windows/client-management/mdm/policy-csp-power.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index e8b4361743..f42ef230e5 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -120,22 +120,22 @@ manager: dansimp Pro - Yes + No Yes Business - Yes + No Yes Enterprise - Yes + No Yes Education - Yes + No Yes From dc66f44917d8b44b680ec3d1ca3f2bdfc9b25d06 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 20:01:47 +0530 Subject: [PATCH 115/122] Update policy-csp-power.md --- windows/client-management/mdm/policy-csp-power.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index f42ef230e5..7ff6dc2585 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -14,11 +14,10 @@ manager: dansimp # Policy CSP - Power - -
+ ## Power policies
From b37498d8e28cb552079306229bc99e7374f18cbf Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 20:04:40 +0530 Subject: [PATCH 116/122] Update policy-csp-power.md --- windows/client-management/mdm/policy-csp-power.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 7ff6dc2585..535d207080 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -103,7 +103,7 @@ manager: dansimp
-**Power/AllowHibernate** +**Power/AllowHibernate** From cf7dad1d318d8216ce76ccfe6a27cf2f9ba07db8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 5 Jan 2022 09:31:51 -0800 Subject: [PATCH 117/122] Update audit-registry.md --- windows/security/threat-protection/auditing/audit-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 38c9f81091..4004a503f4 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 12/16/2021 +ms.date: 01/05/2021 ms.technology: windows-sec --- From dfbc2a2cdf522005479ca7d70264d3337e3da7cf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 5 Jan 2022 09:32:05 -0800 Subject: [PATCH 118/122] Update windows/security/threat-protection/auditing/audit-registry.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/audit-registry.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 4004a503f4..ace2bfd284 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -49,4 +49,5 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] > On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". +> > Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From a1ef229ccc4ca43d3f5517b526dce0f188dedf0f Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Wed, 5 Jan 2022 17:57:15 -0500 Subject: [PATCH 119/122] Removing Win10 Mobile --- .../ltsc/whats-new-windows-10-2015.md | 50 +++++++-------- .../ltsc/whats-new-windows-10-2016.md | 13 ++-- ...ts-new-windows-10-version-1507-and-1511.md | 62 +++++++++---------- .../whats-new-windows-10-version-1607.md | 7 +-- 4 files changed, 64 insertions(+), 68 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index d02ab43956..9aa921ea74 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -17,12 +17,12 @@ ms.topic: article # What's new in Windows 10 Enterprise LTSC 2015 **Applies to** -- Windows 10 Enterprise LTSC 2015 +- Windows 10 Enterprise LTSC 2015 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). ->[!NOTE] ->Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). +> [!NOTE] +> Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). ## Deployment @@ -42,7 +42,6 @@ Enhancements to AppLocker in Windows 10 include: - A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. - A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](/windows/client-management/mdm/applocker-csp). [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). @@ -58,7 +57,7 @@ Enhancements to AppLocker in Windows 10 include: ### Certificate management -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. ### Microsoft Passport @@ -68,13 +67,13 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir ### Security auditing -In Windows 10, security auditing has added some improvements: +In Windows 10, security auditing has added some improvements: - [New audit subcategories](#bkmk-auditsubcat) - [More info added to existing audit events](#bkmk-moreinfo) #### New audit subcategories -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: - [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. - [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. @@ -83,7 +82,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol #### More info added to existing audit events -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: - [Changed the kernel default audit policy](#bkmk-kdal) - [Added a default process SACL to LSASS.exe](#bkmk-lsass) - [Added new fields in the logon event](#bkmk-logon) @@ -94,11 +93,11 @@ With Windows 10, version 1507, we've added more info to existing audit events t #### Changed the kernel default audit policy -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. #### Added a default process SACL to LSASS.exe -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. This can help identify attacks that steal credentials from the memory of a process. #### New fields in the logon event @@ -137,7 +136,7 @@ The logon event ID 4688 has been updated to include more verbose information to #### New Security Account Manager events -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: - SamrEnumerateGroupsInDomain - SamrEnumerateUsersInDomain - SamrEnumerateAliasesInDomain @@ -170,9 +169,9 @@ Event ID 6416 has been added to track when an external device is detected throug ### Trusted Platform Module -#### New TPM features in Windows 10 +#### New TPM features in Windows 10 -The following sections describe the new and changed functionality in the TPM for Windows 10: +The following sections describe the new and changed functionality in the TPM for Windows 10: - [Device health attestation](#bkmk-dha) - [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support - [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support @@ -186,7 +185,8 @@ Some things that you can check on the device are: - Is BitLocker Drive Encryption supported and enabled? - Is SecureBoot supported and enabled? -> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. +> [!NOTE] +> The device must be running Windows 10 and it must support at least TPM 2.0. [Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). @@ -198,7 +198,7 @@ You should not turn off UAC because this is not a supported scenario for devices For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). -In Windows 10, User Account Control has added some improvements: +In Windows 10, User Account Control has added some improvements: - **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. @@ -219,13 +219,13 @@ Windows 10 provides a set of VPN features that both increase enterprise security ## Management -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. ### MDM support -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/) @@ -245,8 +245,8 @@ Enterprises have the following identity and management choices. | Grouping | Domain join; Workgroup; Azure AD join | | Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - > **Note**   -With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). +> [!NOTE] +> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). ### Device lockdown @@ -272,9 +272,9 @@ Administrators can also use mobile device management (MDM) or Group Policy to di ## Updates -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: +By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). @@ -287,7 +287,7 @@ Together, these Windows Update for Business features help reduce device manageme Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). ## Microsoft Edge @@ -295,4 +295,4 @@ The new chromium-based Microsoft Edge is not included in the LTSC release of Win ## See Also -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. \ No newline at end of file +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index b563c7b398..1a98ceb952 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -17,9 +17,9 @@ ms.topic: article # What's new in Windows 10 Enterprise LTSC 2016 **Applies to** -- Windows 10 Enterprise LTSC 2016 +- Windows 10 Enterprise LTSC 2016 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] >Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607. @@ -76,7 +76,6 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016: - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. - Beginning in this version of Windows 10, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. - [Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) @@ -88,7 +87,9 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016: It provides the following benefits: - The algorithm is FIPS-compliant. - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. + + > [!NOTE] + > Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. ### Security auditing @@ -135,7 +136,7 @@ With the growing threat from more sophisticated targeted attacks, a new security - The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. - The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607) -- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. +- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure). ## Management @@ -179,4 +180,4 @@ The new chromium-based Microsoft Edge is not included in the LTSC release of Win ## See Also -[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. \ No newline at end of file +[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 373252080c..efdd81bde2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511). ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 @@ -34,11 +34,10 @@ With Windows 10, you can create provisioning packages that let you quickly and e ### AppLocker -#### New AppLocker features in Windows 10, version 1507 +#### New AppLocker features in Windows 10, version 1507 - A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. - A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](/windows/client-management/mdm/applocker-csp). [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview). @@ -51,10 +50,10 @@ With Windows 10, you can create provisioning packages that let you quickly and e - The algorithm is FIPS-compliant. - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. ->[!NOTE] ->Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. +> [!NOTE] +> Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. -#### New BitLocker features in Windows 10, version 1507 +#### New BitLocker features in Windows 10, version 1507 @@ -80,7 +79,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e ### Easier certificate management -For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](https://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile) +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. ### Microsoft Passport @@ -94,15 +93,15 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir - The [WindowsSecurityAuditing](/windows/client-management/mdm/windowssecurityauditing-csp) and [Reporting](/windows/client-management/mdm/reporting-csp) configuration service providers allow you to add security audit policies to mobile devices. -#### New features in Windows 10, version 1507 +#### New features in Windows 10, version 1507 -In Windows 10, security auditing has added some improvements: +In Windows 10, security auditing has added some improvements: - [New audit subcategories](#bkmk-auditsubcat) - [More info added to existing audit events](#bkmk-moreinfo) ##### New audit subcategories -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: +In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: - [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. - [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. @@ -111,7 +110,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Pol ##### More info added to existing audit events -With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: +With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: - [Changed the kernel default audit policy](#bkmk-kdal) - [Added a default process SACL to LSASS.exe](#bkmk-lsass) - [Added new fields in the logon event](#bkmk-logon) @@ -122,11 +121,11 @@ With Windows 10, version 1507, we've added more info to existing audit events t ##### Changed the kernel default audit policy -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. +In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. ##### Added a default process SACL to LSASS.exe -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. +In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. This can help identify attacks that steal credentials from the memory of a process. ##### New fields in the logon event @@ -165,7 +164,7 @@ The logon event ID 4688 has been updated to include more verbose information to ##### New Security Account Manager events -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: +In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: - SamrEnumerateGroupsInDomain - SamrEnumerateUsersInDomain - SamrEnumerateAliasesInDomain @@ -198,13 +197,13 @@ Event ID 6416 has been added to track when an external device is detected throug ### Trusted Platform Module -#### New TPM features in Windows 10, version 1511 +#### New TPM features in Windows 10, version 1511 - Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). -#### New TPM features in Windows 10, version 1507 +#### New TPM features in Windows 10, version 1507 -The following sections describe the new and changed functionality in the TPM for Windows 10: +The following sections describe the new and changed functionality in the TPM for Windows 10: - [Device health attestation](#bkmk-dha) - [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support - [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support @@ -219,7 +218,7 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? >[!NOTE] ->The device must be running Windows 10 and it must support at least TPM 2.0. +>The device must be running Windows 10 and it must support at least TPM 2.0. [Learn how to deploy and manage TPM within your organization](/windows/device-security/tpm//trusted-platform-module-overview). @@ -231,9 +230,9 @@ You should not turn off UAC because this is not a supported scenario for devices For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings). -In Windows 10, User Account Control has added some improvements. +In Windows 10, User Account Control has added some improvements. -#### New User Account Control features in Windows 10, version 1507 +#### New User Account Control features in Windows 10, version 1507 - **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. @@ -254,13 +253,13 @@ Windows 10 provides a set of VPN features that both increase enterprise security ## Management -Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. ### MDM support -MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. -MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/) @@ -282,7 +281,8 @@ Enterprises have the following identity and management choices. | Grouping | Domain join; Workgroup; Azure AD join | | Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | -**Note:** With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). +> [!NOTE] +> With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). ### Device lockdown @@ -318,9 +318,9 @@ For more information, see [Microsoft Store for Business overview](/microsoft-sto ## Updates -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. +Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: +By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). @@ -333,7 +333,7 @@ Together, these Windows Update for Business features help reduce device manageme Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). -For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/waas-servicing-strategy-windows-10-updates). ## Microsoft Edge Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. @@ -344,9 +344,9 @@ Microsoft Edge takes you beyond just browsing to actively engaging with the web - **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. ### Enterprise guidance -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). +Microsoft Edge is the default browser experience for Windows 10. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). -We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. +We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. [Learn more about using Microsoft Edge in the enterprise](/microsoft-edge/deploy/emie-to-improve-compatibility) @@ -354,7 +354,3 @@ We also recommend that you upgrade to IE11 if you're running any earlier version ## Learn more - [Windows 10 release information](https://technet.microsoft.com/windows/release-info) - - - - diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index e211ea26c2..ccf2f1132f 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) -description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (version 1607). keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -19,7 +19,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1 >[!NOTE] >For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). -   + ## Deployment ### Windows Imaging and Configuration Designer (ICD) @@ -78,7 +78,6 @@ Additional changes for Windows Hello in Windows 10, version 1607: - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. - Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. - [Learn more about Windows Hello for Business.](/windows/access-protection/hello-for-business/hello-identity-verification) @@ -87,7 +86,7 @@ Additional changes for Windows Hello in Windows 10, version 1607: - The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. - The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. - New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607) -- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. +- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure). ### Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) From da207de45741eed0d937f53f001f9757ac27704f Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 6 Jan 2022 16:10:30 +0530 Subject: [PATCH 120/122] Updated --- .../mdm/policy-csp-remotedesktop.md | 264 ++++++++++++++++++ .../mdm/policy-csp-search.md | 49 +--- 2 files changed, 266 insertions(+), 47 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-remotedesktop.md diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md new file mode 100644 index 0000000000..e30c9f6ceb --- /dev/null +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -0,0 +1,264 @@ +--- +title: Policy CSP - RemoteDesktop +description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - RemoteDesktop + +
+ + +## RemoteDesktop policies + +
+
+ RemoteDesktop/AutoSubscription +
+
+ RemoteDesktop/LoadAadCredKeyFromProfile +
+
+ +> [!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +**RemoteDesktop/AutoSubscription<** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + + +ADMX Info: +- GP Friendly name: *Customize warning messages* +- GP name: *AutoSubscription* +- GP path: *System/Remote Desktop* +- GP ADMX file name: *remotedesktop.admx* + + + + +
+ + +**RemoteAssistance/SessionLogging** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. + +If you enable this policy setting, log files are generated. + +If you disable this policy setting, log files are not generated. + +If you do not configure this setting, application-based settings are used. + + + + +ADMX Info: +- GP Friendly name: *Turn on session logging* +- GP name: *RA_Logging* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +
+ + +**RemoteAssistance/SolicitedRemoteAssistance** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. + +If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. + +If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." + +The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. + +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. + +If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. + + + + +ADMX Info: +- GP Friendly name: *Configure Solicited Remote Assistance* +- GP name: *RA_Solicit* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +
+ + +**RemoteAssistance/UnsolicitedRemoteAssistance** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. + +To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: + +`\` or + +`\` + +If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. + +Windows Vista and later + +Enable the Remote Assistance exception for the domain profile. The exception must contain: +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe + +Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe + +For computers running Windows Server 2003 with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception + + + + +ADMX Info: +- GP Friendly name: *Configure Offer Remote Assistance* +- GP name: *RA_Unsolicit* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + +
+ + diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 667994f6ca..426be9aa21 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -191,6 +191,7 @@ The following list shows the supported values: +This policy allows the cortana opt-in page during windows setup out of the box experience. @@ -207,57 +208,11 @@ ADMX Info: This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. +
- - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- **Search/AllowFindMyFiles** From b53ee7ceeec4a4c1378b09145cfabe36fbb70ee4 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 6 Jan 2022 16:15:26 +0530 Subject: [PATCH 121/122] Update policy-csp-remotedesktop.md --- windows/client-management/mdm/policy-csp-remotedesktop.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index e30c9f6ceb..19de9949ac 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -80,7 +80,7 @@ ADMX Info:
-**RemoteAssistance/SessionLogging** +**RemoteDesktop/LoadAadCredKeyFromProfile** From be94903092daa8b58162b79a7784865d3d23dbe4 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 7 Jan 2022 12:29:23 +0530 Subject: [PATCH 122/122] Updated with windows version as per feedback --- windows/client-management/mdm/policy-csp-storage.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 5d43f8f336..31bf31a9f9 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -610,6 +610,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE] @@ -670,6 +672,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE] @@ -730,6 +734,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE] @@ -790,6 +796,8 @@ This policy will do the enforcement over the following protocols which are used - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth - Mass Storage Class (MSC) over USB +To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). + If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android. >[!NOTE]