deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into atp-onboarding-nonwindows

Browse Source
This commit is contained in:
Joey Caparas 2017-08-09 15:19:44 -07:00
commit 2c41214734
88 changed files with 880 additions and 535 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
bcs/index.md
View File

@ -41,7 +41,7 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<span class="likeAnH3">For Partners and IT admins:<br />Get Started with Microsoft 365 Business</span>
<span class="likeAnH3">For Partners and IT admins:<br />Get started with Microsoft 365 Business</span>
</div>
</div>
</div>
@ -57,7 +57,7 @@ description: Learn about the product documentation and resources available for M
<a href="#partner-it">Partner/IT admin</a>
<ul id="partner-it">
<li>
<a data-default="true" href="#getstarted">Get Started</a>
<a data-default="true" href="#getstarted">Get started</a>
<ul id="getstarted" class="cardsC">
<li class="fullSpan">
<div class="container intro">
@ -75,8 +75,8 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<h3>Learn about Microsoft 365 Business</h3>
<p>Want to learn more about Microsoft 365 Business? Start here.</p>
<h3>Why Microsoft 365 Business?</h3>
<p>Learn how Microsoft 365 Business can empower your team, safeguard your business, and simplify IT management with a single solution.</p>
</div>
</div>
</div>
@ -333,7 +333,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="#">
<a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -343,8 +343,27 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<h3>Identity migration</h3>
<p>Got on-premises AD and plan to move your organizations identity management to the cloud? Do a one-time sync using <a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">Azure AD Connect</a>, or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using <a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
<h3>Identity migration with Azure AD Connect</h3>
<p>Got on-premises AD and plan to move your organizations identity management to the cloud? Do a one-time sync using Azure AD Connect.<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-identity-manager.svg" alt="Identity integration" />
</div>
</div>
<div class="cardText">
<h3>Identity migration with minimal hybrid migration</h3>
<p>Or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using minimal hybrid migration.</p>
</div>
</div>
</div>
@ -399,6 +418,25 @@ description: Learn about the product documentation and resources available for M
</div>
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364#bkmk_support">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Technical Support</h3>
<p>Submit a technical support request for Microsoft 365 Business.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="#">
<div class="cardSize">
@ -417,26 +455,7 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
</a>
</li>
<li>
<a href="#">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Technical Support - Coming soon</h3>
<p>Submit a technical support request for Microsoft 365 Business.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</li>
</ul>
</li>
<li>
@ -469,7 +488,7 @@ description: Learn about the product documentation and resources available for M
</li>
-->
<li>
<a href="https://docs.microsoft.com/windows">
<a href="https://docs.microsoft.com/en-us/windows/windows-10/">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -480,7 +499,7 @@ description: Learn about the product documentation and resources available for M
</div>
<div class="cardText">
<h3>Windows 10</h3>
<p>Learn more about Windows 10.</p>
<p>Find out what's new, how to apply custom configurations to devices, managing apps, deployment, and more.</p>
</div>
</div>
</div>
@ -748,7 +767,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/c654bd23-d256-4ac7-8fba-0c993bf5a771">
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
<div class="cardSize">
<div class="cardPadding">
<div class="card">

5
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t
A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
After you've created your device account, there are a couple of ways to verify that it's setup correctly.
- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
## Prepare for first-run program

2
education/windows/change-history-edu.md
View File

@ -28,7 +28,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| --- | ---- |
| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a policies section to inform you of any policies that affect the Take a Test app or functionality within the app. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
## June 2017

34
education/windows/take-a-test-app-technical.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 07/28/2017
ms.date: 08/07/2017
---
# Take a Test app technical reference
@ -51,6 +51,18 @@ When Take a Test is running, the following MDM policies are applied to lock down
| AllowCortana | Disables Cortana functionality | 0 |
| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
## Group Policy
To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
| Functionality | Group Policy path | Policy |
| --- | --- | --- |
| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
| Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
| Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
| Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
## Allowed functionality
When Take a Test is running, the following functionality is available to students:
@ -75,26 +87,6 @@ When Take a Test is running, the following functionality is available to student
- Ctrl+Alt+Del
- Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
## Policies
If the lock screen is disabled, Take a Test will not launch above lock. Be aware that if you set the following Group Policy, this breaks activation of Take a Test above lock.
**Group Policy path:** Computer Configuration\Administrative Templates\Control Panel\Personalization\ <br />
**Group Policy name:** Do not display the lock screen <br />
**ADML:** %SDXROOT%\shell\policies\ControlPanelDisplay.adml <br />
**ADMX:** %SDXROOT%\shell\policies\ControlPanelDisplay.admx <br />
 
```
<policy name="CPL_Personalization_NoLockScreen" class="Machine"
        displayName="$(string.CPL_Personalization_NoLockScreen)"
        explainText="$(string.CPL_Personalization_NoLockScreen_Help)"
        key="Software\Policies\Microsoft\Windows\Personalization"
        valueName="NoLockScreen">
  <parentCategory ref="Personalization" />
  <supportedOn ref="windows:SUPPORTED_Windows8" />
</policy>
```
## Learn more

19
education/windows/test-windows10s-for-edu.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 08/04/2017
ms.date: 08/07/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@ -95,17 +95,18 @@ Check with your device manufacturer before trying Windows 10 S on your device to
| - | - | - |
| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.ibuypower.com/Support/Support" target="_blank">American Future Tech</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> |
| <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> |
| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> |
| <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> |
| <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> |
| <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> |
| <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> | <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> |
| <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> |
| <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> |
| <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> |
| <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> |
| <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> |
| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> |
| <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> |
| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
> [!NOTE]
> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in future.
> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
<!--
* [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s)

20
windows/access-protection/credential-guard/credential-guard-known-issues.md
View File

@ -33,25 +33,13 @@ The following known issues have been fixed by servicing releases made available
- Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
- Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
## Known issues involving third-party applications
The following issue affects the Java GSS API. See the following Oracle bug database article:
- [JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following issue affects Cisco AnyConnect Secure Mobility Client:

BIN
windows/access-protection/credential-guard/images/credguard-gp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 32 KiB

6
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/09/2017
---
# EnterpriseDataProtection CSP
@ -44,8 +44,8 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
- 0 (default) Off / No protection (decrypts previously protected data).
- 1 Silent mode (encrypt and audit only).
- 2 Override mode (encrypt, prompt, and audit).
- 3 Block mode (encrypt, block, and audit).
- 2 Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 Hides overrides (encrypt, prompt but hide overrides, and audit).
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.

10
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1322,6 +1322,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
<td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)</td>
<td style="vertical-align:top"><p>Updated the Settings/EDPEnforcementLevel values to the following:</p>
<ul>
<li> 0 (default) Off / No protection (decrypts previously protected data).</li>
<li> 1 Silent mode (encrypt and audit only).</li>
<li> 2 Allow override mode (encrypt, prompt and allow overrides, and audit).</li>
<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>

51
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1782,75 +1782,76 @@ The following diagram shows the Policy configuration service provider in tree fo
<dl>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts_blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts_enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus </a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_enableguestaccountstatus" id="localpoliciessecurityoptions-accounts_enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd><dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_renameadministratoraccount" id="localpoliciessecurityoptions-accounts_renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_renameguestaccount" id="localpoliciessecurityoptions-accounts_renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount" id="localpoliciessecurityoptions-accounts-renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon_displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount" id="localpoliciessecurityoptions-accounts-renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon_donotdisplaylastsignedin">LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon_donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon_donotrequirectrlaltdel">LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon_machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon_messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon_messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity_allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity_allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole_allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole_allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown_allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown_allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol_allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-tbuseraccountcontrol-runalladministratorsinadminapprovalmoded" id="localpoliciessecurityoptions-tbuseraccountcontrol-runalladministratorsinadminapprovalmoded">LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol_runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
</dd>
</dl>

2
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - AboveLock

2
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Accounts

3
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ActiveXControls
@ -66,6 +66,7 @@ Note: Wild card characters cannot be used when specifying the host URLs.
ADMX Info:
- GP english name: *Approved Installation Sites for ActiveX Controls*
- GP name: *ApprovedActiveXInstallSites*
- GP path: *Windows Components/ActiveX Installer Service*
- GP ADMX file name: *ActiveXInstallService.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ApplicationDefaults

2
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ApplicationManagement

2
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - AppVirtualization

5
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - AttachmentManager
@ -66,6 +66,7 @@ If you do not configure this policy setting, Windows marks file attachments with
ADMX Info:
- GP english name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->
@ -117,6 +118,7 @@ If you do not configure this policy setting, Windows hides the check box and Unb
ADMX Info:
- GP english name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->
@ -168,6 +170,7 @@ If you do not configure this policy setting, Windows does not call the registere
ADMX Info:
- GP english name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Authentication

5
windows/client-management/mdm/policy-csp-autoplay.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Autoplay
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
ADMX Info:
- GP english name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->
@ -122,6 +123,7 @@ If you disable or not configure this policy setting, Windows Vista or later will
ADMX Info:
- GP english name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->
@ -181,6 +183,7 @@ Note: This policy setting appears in both the Computer Configuration and User Co
ADMX Info:
- GP english name: *Turn off Autoplay*
- GP name: *Autorun*
- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Bitlocker

2
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Bluetooth

2
windows/client-management/mdm/policy-csp-browser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Browser

2
windows/client-management/mdm/policy-csp-camera.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Camera

3
windows/client-management/mdm/policy-csp-cellular.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Cellular
@ -58,6 +58,7 @@ ms.date: 07/14/2017
ADMX Info:
- GP english name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
- GP path: *Network/WWAN Service/WWAN UI Settings*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->

4
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Connectivity
@ -521,6 +521,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
ADMX Info:
- GP english name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
- GP ADMX file name: *networkprovider.admx*
<!--EndADMX-->
@ -564,6 +565,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
- GP ADMX file name: *NetworkConnections.admx*
<!--EndADMX-->

4
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - CredentialProviders
@ -155,7 +155,7 @@ Added in Windows 10, version 1709. Boolean policy to disable the visibility of t
The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
<!--EndDescription-->
<!--EndPolicy-->

4
windows/client-management/mdm/policy-csp-credentialsui.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - CredentialsUI
@ -68,6 +68,7 @@ The policy applies to all Windows components and applications that use the Windo
ADMX Info:
- GP english name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
<!--EndADMX-->
@ -117,6 +118,7 @@ If you disable this policy setting, users will always be required to type a user
ADMX Info:
- GP english name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Cryptography

2
windows/client-management/mdm/policy-csp-dataprotection.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DataProtection

4
windows/client-management/mdm/policy-csp-datausage.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DataUsage
@ -70,6 +70,7 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
ADMX Info:
- GP english name: *Set 3G Cost*
- GP name: *SetCost3G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->
@ -125,6 +126,7 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
ADMX Info:
- GP english name: *Set 4G Cost*
- GP name: *SetCost4G*
- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-defender.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Defender

2
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeliveryOptimization

2
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Desktop

2
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeviceGuard

4
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeviceInstallation
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, devices can be installed
ADMX Info:
- GP english name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
<!--EndADMX-->
@ -113,6 +114,7 @@ If you disable or do not configure this policy setting, Windows can install and
ADMX Info:
- GP english name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
<!--EndADMX-->

3
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - DeviceLock
@ -769,6 +769,7 @@ If you enable this setting, users will no longer be able to modify slide show se
ADMX Info:
- GP english name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-display.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Display

2
windows/client-management/mdm/policy-csp-education.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/27/2017
ms.date: 08/09/2017
---
# Policy CSP - Education

2
windows/client-management/mdm/policy-csp-enterprisecloudprint.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - EnterpriseCloudPrint

6
windows/client-management/mdm/policy-csp-errorreporting.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - ErrorReporting
@ -123,6 +123,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
ADMX Info:
- GP english name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
@ -176,6 +177,7 @@ See also the Configure Error Reporting policy setting.
ADMX Info:
- GP english name: *Display Error Notification*
- GP name: *PCH_ShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
@ -225,6 +227,7 @@ If you disable or do not configure this policy setting, then consent policy sett
ADMX Info:
- GP english name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->
@ -274,6 +277,7 @@ If you disable or do not configure this policy setting, Windows Error Reporting
ADMX Info:
- GP english name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
<!--EndADMX-->

6
windows/client-management/mdm/policy-csp-eventlogservice.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - EventLogService
@ -66,6 +66,7 @@ Note: Old events may or may not be retained according to the "Backup log automat
ADMX Info:
- GP english name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
@ -115,6 +116,7 @@ If you disable or do not configure this policy setting, the maximum size of the
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
@ -164,6 +166,7 @@ If you disable or do not configure this policy setting, the maximum size of the
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP path: *Windows Components/Event Log Service/Security*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->
@ -213,6 +216,7 @@ If you disable or do not configure this policy setting, the maximum size of the
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP path: *Windows Components/Event Log Service/System*
- GP ADMX file name: *eventlog.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-experience.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Experience

5
windows/client-management/mdm/policy-csp-games.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Games
@ -22,9 +22,6 @@ ms.date: 07/14/2017
<!--StartPolicy-->
<a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**
<!--StartSKU-->
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Placeholder only. Currently not supported.

253
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

File diff suppressed because it is too large Load Diff

7
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Kerberos
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, the Kerberos client does
ADMX Info:
- GP english name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -112,6 +113,7 @@ If you disable or do not configure this policy setting, the client devices will
ADMX Info:
- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -165,6 +167,7 @@ If you disable or do not configure this policy setting, the client computers in
ADMX Info:
- GP english name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -214,6 +217,7 @@ If you disable or do not configure this policy setting, the Kerberos client requ
ADMX Info:
- GP english name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->
@ -267,6 +271,7 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
ADMX Info:
- GP english name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-licensing.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Licensing

390
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/04/2017
ms.date: 08/09/2017
---
# Policy CSP - LocalPoliciesSecurityOptions
@ -20,7 +20,7 @@ ms.date: 08/04/2017
## LocalPoliciesSecurityOptions policies
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts_blockmicrosoftaccounts"></a>**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
<a href="" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts"></a>**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
<!--StartSKU-->
<table>
@ -58,19 +58,11 @@ Valid values:
- 0 - disabled (users will be able to use Microsoft accounts with Windows)
- 1 - enabled (users cannot add Microsoft accounts)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts_enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
<!--StartSKU-->
<table>
@ -109,19 +101,11 @@ Valid values:
- 1 - local Administrator account is enabled
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts_enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
<!--StartSKU-->
<table>
@ -157,19 +141,11 @@ Valid values:
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
<!--StartSKU-->
<table>
@ -213,19 +189,11 @@ This setting does not affect logons that use domain accounts.
It is possible for applications that use remote interactive logons to bypass this setting.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts_renameadministratoraccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
<a href="" id="localpoliciessecurityoptions-accounts-renameadministratoraccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
<!--StartSKU-->
<table>
@ -258,19 +226,11 @@ This security setting determines whether a different account name is associated
Default: Administrator.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts_renameguestaccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
<a href="" id="localpoliciessecurityoptions-accounts-renameguestaccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
<!--StartSKU-->
<table>
@ -303,19 +263,11 @@ This security setting determines whether a different account name is associated
Default: Guest.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon_displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
<!--StartSKU-->
<table>
@ -349,19 +301,11 @@ Valid values:
- 3 - Do not display user information
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon_donotdisplaylastsignedin"></a>**LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn**
<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
<!--StartSKU-->
<table>
@ -400,19 +344,11 @@ Valid values:
- 1 - enabled (username will not be shown)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon_donotdisplayusernameatsignin"></a>**LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn**
<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
<!--StartSKU-->
<table>
@ -452,19 +388,11 @@ Valid values:
- 1 - enabled (username will not be shown)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon_donotrequirectrlaltdel"></a>**LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL**
<a href="" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
<!--StartSKU-->
<table>
@ -505,19 +433,11 @@ Valid values:
- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon_machineinactivitylimit"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
<a href="" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
<!--StartSKU-->
<table>
@ -553,19 +473,11 @@ Valid values:
- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon_messagetextforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
<!--StartSKU-->
<table>
@ -600,20 +512,11 @@ This text is often used for legal reasons, for example, to warn users about the
Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon_messagetitleforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
<!--StartSKU-->
<table>
@ -646,19 +549,11 @@ This security setting allows the specification of a title to appear in the title
Default: No message.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-networksecurity_allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
<a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
<!--StartSKU-->
<table>
@ -683,7 +578,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->Network security: Allow PKU2U authentication requests to this computer to use online identities.
<!--StartDescription-->
Network security: Allow PKU2U authentication requests to this computer to use online identities.
This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
@ -692,19 +588,11 @@ Valid values:
- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-recoveryconsole_allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
<a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
<!--StartSKU-->
<table>
@ -729,7 +617,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->Recovery console: Allow automatic administrative logon
<!--StartDescription-->
Recovery console: Allow automatic administrative logon
This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
@ -739,19 +628,11 @@ Valid values:
- 1 - enabled (allow automatic administrative logon)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-shutdown_allowsystemtobeshutdownwithouthavingtologon"></a>**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
<a href="" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon"></a>**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
<!--StartSKU-->
<table>
@ -776,7 +657,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->Shutdown: Allow system to be shut down without having to log on
<!--StartDescription-->
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
@ -791,19 +673,11 @@ Valid values:
- 1 - enabled (allow system to be shut down without having to log on)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
<a href="" id="localpoliciessecurityoptions-tbuseraccountcontrol-runalladministratorsinadminapprovalmoded"></a>**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD**
<!--StartSKU-->
<table>
@ -828,7 +702,48 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
<!--StartDescription-->
User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
The options are:
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
@ -842,19 +757,11 @@ Valid values:
The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforadministrators"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
<!--StartSKU-->
<table>
@ -879,7 +786,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
<!--StartDescription-->
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators.
@ -898,19 +806,11 @@ The options are:
• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforstandardusers"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
<!--StartSKU-->
<table>
@ -935,7 +835,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Behavior of the elevation prompt for standard users
<!--StartDescription-->
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
The options are:
@ -947,19 +848,11 @@ The options are:
• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateexecutablefilesthataresignedandvalidated"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
<!--StartSKU-->
<table>
@ -984,7 +877,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Only elevate executable files that are signed and validated
<!--StartDescription-->
User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
@ -993,19 +887,11 @@ The options are:
- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
<!--StartSKU-->
<table>
@ -1030,7 +916,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Only elevate UIAccess applications that are installed in secure locations
<!--StartDescription-->
User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
@ -1045,19 +932,11 @@ The options are:
- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_runalladministratorsinadminapprovalmode"></a>**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD**
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
<!--StartSKU-->
<table>
@ -1082,54 +961,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
The options are:
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Switch to the secure desktop when prompting for elevation
<!--StartDescription-->
User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
@ -1138,19 +971,11 @@ The options are:
- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
<!--StartSKU-->
<table>
@ -1175,7 +1000,8 @@ Footnote:
</table>
<!--EndSKU-->
<!--StartDescription-->User Account Control: Virtualize file and registry write failures to per-user locations
<!--StartDescription-->
User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
@ -1184,6 +1010,7 @@ The options are:
- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
@ -1194,4 +1021,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--EndPolicies-->

2
windows/client-management/mdm/policy-csp-location.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Location

2
windows/client-management/mdm/policy-csp-lockdown.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - LockDown

2
windows/client-management/mdm/policy-csp-maps.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Maps

2
windows/client-management/mdm/policy-csp-messaging.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Messaging

2
windows/client-management/mdm/policy-csp-networkisolation.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - NetworkIsolation

2
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Notifications

11
windows/client-management/mdm/policy-csp-power.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Power
@ -64,6 +64,7 @@ If you disable this policy setting, standby states (S1-S3) are not allowed.
ADMX Info:
- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
- GP name: *AllowStandbyStatesAC_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -115,6 +116,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -166,6 +168,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -218,6 +221,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -269,6 +273,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -318,6 +323,7 @@ If you disable this policy setting, the user is not prompted for a password when
ADMX Info:
- GP english name: *Require a password when a computer wakes (on battery)*
- GP name: *DCPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -367,6 +373,7 @@ If you disable this policy setting, the user is not prompted for a password when
ADMX Info:
- GP english name: *Require a password when a computer wakes (plugged in)*
- GP name: *ACPromptForPasswordOnResume_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -418,6 +425,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
@ -469,6 +477,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->

3
windows/client-management/mdm/policy-csp-printers.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Printers
@ -139,6 +139,7 @@ If you disable this policy setting:
ADMX Info:
- GP english name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
- GP path: *Control Panel/Printers*
- GP ADMX file name: *Printing.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Privacy

6
windows/client-management/mdm/policy-csp-remoteassistance.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - RemoteAssistance
@ -70,6 +70,7 @@ If you do not configure this policy setting, the user sees the default warning m
ADMX Info:
- GP english name: *Customize warning messages*
- GP name: *RA_Options*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->
@ -121,6 +122,7 @@ If you do not configure this setting, application-based settings are used.
ADMX Info:
- GP english name: *Turn on session logging*
- GP name: *RA_Logging*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->
@ -180,6 +182,7 @@ If you enable this policy setting you should also enable appropriate firewall ex
ADMX Info:
- GP english name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->
@ -262,6 +265,7 @@ Allow Remote Desktop Exception
ADMX Info:
- GP english name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--EndADMX-->

8
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - RemoteDesktopServices
@ -70,6 +70,7 @@ You can limit the number of users who can connect simultaneously by configuring
ADMX Info:
- GP english name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
@ -129,6 +130,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
ADMX Info:
- GP english name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
@ -182,6 +184,7 @@ If you do not configure this policy setting, client drive redirection and Clipbo
ADMX Info:
- GP english name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
@ -231,6 +234,7 @@ If you disable this setting or leave it not configured, the user will be able to
ADMX Info:
- GP english name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
@ -286,6 +290,7 @@ If you do not configure this policy setting, automatic logon is not specified at
ADMX Info:
- GP english name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->
@ -341,6 +346,7 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
ADMX Info:
- GP english name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
<!--EndADMX-->

17
windows/client-management/mdm/policy-csp-remotemanagement.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - RemoteManagement
@ -58,6 +58,7 @@ ms.date: 07/14/2017
ADMX Info:
- GP english name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -101,6 +102,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -144,6 +146,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -187,6 +190,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -230,6 +234,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -273,6 +278,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -316,6 +322,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -359,6 +366,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -402,6 +410,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -445,6 +454,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -488,6 +498,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -531,6 +542,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -574,6 +586,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -617,6 +630,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->
@ -660,6 +674,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
<!--EndADMX-->

4
windows/client-management/mdm/policy-csp-remoteprocedurecall.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - RemoteProcedureCall
@ -68,6 +68,7 @@ Note: This policy will not be applied until the system is rebooted.
ADMX Info:
- GP english name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
<!--EndADMX-->
@ -129,6 +130,7 @@ Note: This policy setting will not be applied until the system is rebooted.
ADMX Info:
- GP english name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
<!--EndADMX-->

9
windows/client-management/mdm/policy-csp-remoteshell.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - RemoteShell
@ -58,6 +58,7 @@ ms.date: 07/14/2017
ADMX Info:
- GP english name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
@ -101,6 +102,7 @@ ADMX Info:
ADMX Info:
- GP english name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
@ -144,6 +146,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
@ -187,6 +190,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
@ -230,6 +234,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
@ -273,6 +278,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->
@ -316,6 +322,7 @@ ADMX Info:
ADMX Info:
- GP english name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
<!--EndADMX-->

2
windows/client-management/mdm/policy-csp-search.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Search

80
windows/client-management/mdm/policy-csp-security.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/26/2017
ms.date: 08/09/2017
---
# Policy CSP - Security
@ -216,6 +216,45 @@ ms.date: 07/26/2017
- 0 Don't allow Anti Theft Mode.
- 1 (default) Anti Theft Mode will follow the default device configuration (region-dependent).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
The following list shows the supported values:
- 0 (default) Will not force recovery from a non-ready TPM state.
- 1 Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
@ -258,45 +297,6 @@ ms.date: 07/26/2017
- 0 (default) Encryption enabled.
- 1 Encryption disabled.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
The following list shows the supported values:
- 0 (default) Will not force recovery from a non-ready TPM state.
- 1 Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->

2
windows/client-management/mdm/policy-csp-settings.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Settings

2
windows/client-management/mdm/policy-csp-smartscreen.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - SmartScreen

2
windows/client-management/mdm/policy-csp-speech.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Speech

2
windows/client-management/mdm/policy-csp-start.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Start

3
windows/client-management/mdm/policy-csp-storage.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Storage
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, Windows will activate un
ADMX Info:
- GP english name: *Do not allow Windows to activate Enhanced Storage devices*
- GP name: *TCGSecurityActivationDisabled*
- GP path: *System/Enhanced Storage Access*
- GP ADMX file name: *enhancedstorage.admx*
<!--EndADMX-->

3
windows/client-management/mdm/policy-csp-system.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - System
@ -548,6 +548,7 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu
ADMX Info:
- GP english name: *Turn off System Restore*
- GP name: *SR_DisableSR*
- GP path: *System/System Restore*
- GP ADMX file name: *systemrestore.admx*
<!--EndADMX-->

5
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - TextInput
@ -363,9 +363,6 @@ ms.date: 07/14/2017
<!--StartPolicy-->
<a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**
<!--StartSKU-->
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy has been deprecated.

2
windows/client-management/mdm/policy-csp-timelanguagesettings.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - TimeLanguageSettings

2
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Update

9
windows/client-management/mdm/policy-csp-wifi.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - Wifi
@ -22,9 +22,6 @@ ms.date: 07/14/2017
<!--StartPolicy-->
<a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**
<!--StartSKU-->
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy has been deprecated.
@ -283,6 +280,8 @@ Footnote:
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Wifi policies supported by Microsoft Surface Hub
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
<!--EndSurfaceHub-->

2
windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - WindowsDefenderSecurityCenter

2
windows/client-management/mdm/policy-csp-windowsinkworkspace.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - WindowsInkWorkspace

4
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - WindowsLogon
@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, users can choose which a
ADMX Info:
- GP english name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!--EndADMX-->
@ -113,6 +114,7 @@ If you disable or don't configure this policy setting, any user can disconnect t
ADMX Info:
- GP english name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!--EndADMX-->

5
windows/client-management/mdm/policy-csp-wirelessdisplay.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/14/2017
ms.date: 08/09/2017
---
# Policy CSP - WirelessDisplay
@ -162,9 +162,6 @@ ms.date: 07/14/2017
<!--StartPolicy-->
<a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
<!--StartSKU-->
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703.

2
windows/configuration/start-layout-xml-desktop.md
View File

@ -191,7 +191,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Internet Explorer Windows desktop application:
The following example shows how to pin the File Explorer Windows desktop application:
```XML
<start:DesktopApplicationTile

4
windows/configuration/windows-spotlight.md
View File

@ -67,10 +67,6 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
>[!WARNING]
> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
>
> In Windows 10, version 1703, the **Force a specific default lock screen image** policy setting applies only intermittently and may not produce expected results. This behavior will be corrected in a future release.
![lockscreen policy details](images/lockscreenpolicy.png)

16
windows/deployment/TOC.md
View File

@ -14,19 +14,6 @@
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
### [Windows 10 deployment test lab](windows-10-poc.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
@ -218,9 +205,6 @@
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
#### [Get started with Update Compliance](update/update-compliance-get-started.md)
#### [Use Update Compliance](update/update-compliance-using.md)
### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)

6
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -329,7 +329,7 @@ The steps below walk you through the process of editing the Windows 10 referenc
 
5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
1. Name: Install - Microsoft NET Framework 3.5.1
2. Select the operating system for which roles are to be installed: Windows 8.1
2. Select the operating system for which roles are to be installed: Windows 10
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
**Important**  
@ -471,7 +471,7 @@ In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except
### Update the deployment share
After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created.
After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
@ -566,7 +566,7 @@ SkipFinalSummary=YES
The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
 
- **JoinWorkgroup.** Configures Windows to join a workgroup.
- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.

2
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -138,7 +138,7 @@ To ensure that user computers are receiving the most up to date data from Micros
- Schedule the Upgrade Readiness deployment script to automatically run so that you dont have to manually initiate an inventory scan each time the compatibility update KBs are updated.
- Schedule monthly user computer scans to view monthly active computer and usage information.
>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on.
>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on.
### Distribute the deployment script at scale

4
windows/deployment/vda-subscription-activation.md
View File

@ -12,7 +12,11 @@ author: greg-lindsay
# Configure VDA for Windows 10 Subscription Activation
<<<<<<< HEAD
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
=======
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
>>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6
## Requirements

1
windows/device-security/TOC.md
View File

@ -94,6 +94,7 @@
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)

13
windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
localizationpriority: high
author: brianlic-msft
---
@ -189,6 +189,12 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen
`manage-bde protectors add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
### <a href="" id="bkmk-add-auth"></a> When should an additional method of authentication be considered?
New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
@ -395,6 +401,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
### <a href="" id="bkmk-VM"></a> Can I use BitLocker with virtual machines (VMs)?
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
## More information
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

185
windows/device-security/bitlocker/bitlocker-management-for-enterprises.md Normal file
View File

@ -0,0 +1,185 @@
---
title: BitLocker Management Recommendations for Enterprises (Windows 10)
description: This topic explains recommendations for managing BitLocker.
ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# BitLocker Management Recommendations for Enterprises
This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices.
## Forward-looking recommendations for managing BitLocker
The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD).
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
- [Domain-joined computers](#dom_join)
- [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
- [Workplace-joined PCs and Phones](#work_join)
- [Servers](#servers)
- [Scripts](#powershell)
<br />
## BitLocker management at a glance
| | PC Old Hardware | PC New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone
|---|---|----|---|---|
|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
<br />
*PC hardware that supports InstantGo or HSTI
<br />
<br />
<a id="dom_join"></a>
## Recommendations for domain-joined computers
Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption).
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management<sup>[1]</sup> (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
- Encrypts device with BitLocker using MBAM
- Stores BitLocker Recovery keys in MBAM Server
- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
- Provides Reporting on Compliance and Recovery key access audit
<a id="MBAM25"></a>
<sup>[1]</sup>The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
<br />
<a id="azure_ad"></a>
## Recommendations for devices joined to Azure Active Directory
<a id="MDM"></a>
Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). Device encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker device encryption is enabled on the device. Compliance with device encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
For hardware that is compliant with InstantGo and HSTI, when using either of these features, device encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
<a id="work_join"></a>
## Workplace-joined PCs and phones
For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker device encryption is managed over MDM, and similarly for Azure AD domain join.
<a id="servers"></a>
## Recommendations for servers
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).
If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
<a id ="powershell"></a>
## PowerShell examples
For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.
*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
```
PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
```
PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
Subsequently, you can use PowerShell to enable BitLocker.
*Example: Use PowerShell to enable BitLocker with a TPM protector*
```
PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
```
PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
<a id = "articles"></a>
## Related Articles
[Bitlocker: FAQs](bitlocker-frequently-asked-questions.md)
[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
[Overview of BitLocker and automatic encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption)
[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx)
[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
*(Overview)*
[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
<br />
**Windows Server setup tools**
[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
[How to add or remove optional components on Server Core](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) *(Features on Demand)*
[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)
[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
<br />
<a id="powershell"></a>
**Powershell**
[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell)
[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)

7
windows/device-security/change-history-for-device-security.md
View File

@ -11,6 +11,13 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
## August 2017
|New or changed topic |Description |
|---------------------|------------|
| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
## July 2017
|New or changed topic |Description |
|---------------------|------------|

2
windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -80,7 +80,7 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
Primary Domain Controller | .Microsoft.com DNS record
Service location | .Microsoft.com DNS record
:---|:---
US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>