diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 189d686fc7..93d1598529 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -167,6 +167,15 @@ ms.date: 10/08/2020 - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) +- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy) +- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy) +- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy) +- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia) +- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable) +- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce) +- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit) +- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold) +- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit) - [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) - [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) @@ -404,6 +413,9 @@ ms.date: 10/08/2020 - [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) - [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) - [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) +- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins) +- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname) +- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) @@ -997,8 +1009,6 @@ ms.date: 10/08/2020 - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) -- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_1) -- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_2) - [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) - [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) - [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) @@ -1067,6 +1077,8 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) - [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig) +- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1) +- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1) - [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) - [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) - [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) @@ -1102,6 +1114,8 @@ ms.date: 10/08/2020 - [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name) - [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state) - [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable) +- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method) - [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails) - [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders) - [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e0e613f0c2..b4bd9c3452 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -747,6 +747,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### ADMX_DiskNVCache policies + +
+
+ ADMX_DiskNVCache/BootResumePolicy +
+
+ ADMX_DiskNVCache/FeatureOffPolicy +
+
+ ADMX_DiskNVCache/SolidStatePolicy +
+
+ +### ADMX_DiskQuota policies + +
+
+ ADMX_DiskQuota/DQ_RemovableMedia +
+
+ ADMX_DiskQuota/DQ_Enable +
+
+ ADMX_DiskQuota/DQ_Enforce +
+
+ ADMX_DiskQuota/DQ_LogEventOverLimit +
+
+ ADMX_DiskQuota/DQ_LogEventOverThreshold +
+
+ ADMX_DiskQuota/DQ_Limit +
+
+ ### ADMX_DistributedLinkTracking policies
@@ -1578,6 +1615,26 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_iSCSI policies + +
+
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
+
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
+
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
+
+ ### ADMX_kdc policies
@@ -3575,15 +3632,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_Snmp/SNMP_Traps_Public
- -### ADMX_SoundRec policies - -
-
- ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 -
-
- ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2
@@ -3801,6 +3849,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TabletShell policies + +
+
+ ADMX_TabletShell/DisableInkball_1 +
+
+ ADMX_TabletShell/DisableNoteWriterPrinting_1 +
+
+ ### ADMX_Taskbar policies
@@ -3916,6 +3975,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TerminalServer policies + +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
+
+ ### ADMX_Thumbnails policies
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index b872c74469..c3d8c37963 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -156,6 +156,5 @@ The following list shows the supported values:
- diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index f7b9ef9ea1..dfb1da857f 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -81,24 +81,7 @@ manager: dansimp No No - - Pro - No - No - - - Business - No - No - - - Enterprise - Yes - Yes - - Education - Yes - Yes + @@ -170,8 +153,6 @@ ADMX Info: Business - Yes - Yes Enterprise @@ -180,8 +161,6 @@ ADMX Info: Education - Yes - Yes diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 2708da9adc..110c13b38f 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -75,8 +75,6 @@ manager: dansimp - - diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index f3aef0211f..4e924cb2a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppxPackageManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + > [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp
EditionWindows 10Windows 11
Home
- - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. +This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: @@ -88,12 +99,7 @@ If you enable this policy setting, Group Policy allows deployment operations (ad If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -106,7 +112,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index c30dafd023..74860dbb38 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AppXRuntime -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,29 +50,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -83,19 +93,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. +This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -114,28 +119,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,19 +164,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -184,28 +189,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -222,7 +233,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. +This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. @@ -232,12 +243,6 @@ If you disable or do not configure this policy setting, all Universal Windows ap > This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -256,28 +261,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -295,7 +306,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. @@ -305,12 +316,6 @@ If you disable or do not configure this policy setting, Windows Store apps can o > Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -323,8 +328,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 7a82136079..9ddc5dc7bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_AttachmentManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -48,28 +53,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -86,7 +97,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. +This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. @@ -99,12 +110,6 @@ If you disable this policy setting, Windows uses its default trust logic, which If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -123,28 +128,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -161,7 +171,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. +This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. @@ -176,12 +186,6 @@ If you disable this policy setting, Windows sets the default risk level to moder If you do not configure this policy setting, Windows sets the default risk level to moderate. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -200,28 +204,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -238,7 +248,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can create a custom list of high-risk file types. @@ -247,12 +257,6 @@ If you disable this policy setting, Windows uses its built-in list of file types If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -271,28 +275,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -309,7 +319,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. @@ -318,12 +328,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -342,28 +346,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -380,7 +390,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types which pose a moderate risk. @@ -389,12 +399,6 @@ If you disable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Windows uses its default trust logic. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,7 +411,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 56d9939332..5e4ce66ca3 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -12,9 +12,14 @@ ms.reviewer: manager: dansimp --- -# Policy CSP - ADMX_AuditSettings -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +# Policy CSP - ADMX_AuditSettings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. +This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. @@ -86,12 +97,6 @@ Default is Not configured. > When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -104,8 +109,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 9a5fd957e7..db5b7fc71f 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Bits -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -75,28 +80,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -113,7 +124,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. +This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. If you enable this policy setting, the BITS client does not use Windows Branch Cache. @@ -121,14 +132,8 @@ If you disable or do not configure this policy setting, the BITS client uses Win > [!NOTE] > This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. - + -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -147,28 +152,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -185,7 +196,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. @@ -195,12 +206,7 @@ If you disable or do not configure this policy setting, the computer attempts to > This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -219,28 +225,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -257,7 +269,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). +This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. @@ -267,12 +279,7 @@ If you disable or do not configure this policy setting, the computer will offer > This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -292,28 +299,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -330,7 +343,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. +This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. @@ -339,12 +352,7 @@ If you enable this policy setting, BITS downloads files from peers, caches the f If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -364,28 +372,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -402,7 +416,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. @@ -416,12 +430,6 @@ If you disable this policy setting or do not configure it, the default value of > This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -440,28 +448,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -478,7 +492,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. @@ -490,12 +504,6 @@ If you disable or do not configure this policy setting, the limits defined for w > The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -515,28 +523,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -553,7 +567,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. @@ -562,12 +576,6 @@ You can specify a limit to use for background jobs during a work schedule. For e If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -587,28 +595,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -625,7 +639,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. +This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. @@ -635,12 +649,6 @@ If you disable or do not configure this policy setting, the default size of the > This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -659,28 +667,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -707,12 +721,6 @@ If you disable or do not configure this policy setting, files that have not been > This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -731,28 +739,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -769,7 +783,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. +This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. @@ -780,12 +794,7 @@ If you enable this policy setting, you can set the maximum job download time to If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -804,28 +813,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -842,7 +857,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. @@ -852,12 +867,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -876,28 +886,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -914,7 +930,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. +This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. @@ -924,12 +940,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -948,28 +959,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -986,7 +1003,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. +This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. @@ -996,12 +1013,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul > This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1020,28 +1032,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1058,7 +1076,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. +This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. @@ -1068,12 +1086,7 @@ If you disable or do not configure this policy setting, BITS will limit ranges t > BITS Jobs created by services and the local administrator account do not count toward this limit. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1086,8 +1099,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md new file mode 100644 index 0000000000..2c19a0ace8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -0,0 +1,266 @@ +--- +title: Policy CSP - ADMX_DiskNVCache +description: Policy CSP - ADMX_DiskNVCache +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskNVCache + + +
+ + +## ADMX_DiskNVCache policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +
+
+ ADMX_DiskNVCache/BootResumePolicy +
+
+ ADMX_DiskNVCache/FeatureOffPolicy +
+
+ ADMX_DiskNVCache/SolidStatePolicy +
+
+ + +
+ + +**ADMX_DiskNVCache/BootResumePolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system. + +If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. + +If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. +The system determines the data that will be stored in the NV cache to optimize boot and resume. + +The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. + +This policy setting is applicable only if the NV cache feature is on. + + + + +ADMX Info: +- GP Friendly name: *Turn off boot and resume optimizations* +- GP name: *BootResumePolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + +
+ +**ADMX_DiskNVCache/FeatureOffPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. + +To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. + +If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. + +If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. + +This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. + + + + + + +ADMX Info: +- GP Friendly name: *Turn off non-volatile cache feature* +- GP name: *FeatureOffPolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + + +
+ + +**ADMX_DiskNVCache/SolidStatePolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns off the solid state mode for the hybrid hard disks. + +If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. + +If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. + +This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on. + + + + + +ADMX Info: +- GP Friendly name: *Turn off solid state mode* +- GP name: *SolidStatePolicy* +- GP path: *System\Disk NV Cache* +- GP ADMX file name: *DiskNVCache.admx* + + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md new file mode 100644 index 0000000000..16ccbf1dce --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -0,0 +1,500 @@ +--- +title: Policy CSP - ADMX_DiskQuota +description: Policy CSP - ADMX_DiskQuota +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DiskQuota + + +
+ +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +## ADMX_DiskQuota policies + + +
+
+ ADMX_DiskQuota/DQ_RemovableMedia +
+
+ ADMX_DiskQuota/DQ_Enable +
+
+ ADMX_DiskQuota/DQ_Enforce +
+
+ ADMX_DiskQuota/DQ_LogEventOverLimit +
+
+ ADMX_DiskQuota/DQ_LogEventOverThreshold +
+
+ ADMX_DiskQuota/DQ_Limit +
+
+ + +
+ + +**ADMX_DiskQuota/DQ_RemovableMedia** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media. + +If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. + +When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. + + + + +ADMX Info: +- GP Friendly name: *Apply policy to removable media* +- GP name: *DQ_RemovableMedia* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + +**ADMX_DiskQuota/DQ_Enable** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. + +If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. + +If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on. + +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. + +This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + +To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + + + + +ADMX Info: +- GP Friendly name: *Enable disk quotas* +- GP name: *DQ_Enable* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_Enforce** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting. + +If you enable this policy setting, disk quota limits are enforced. + +If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect. + +If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. + +This policy setting overrides user settings that enable or disable quota enforcement on their volumes. + +To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + + + + +ADMX Info: +- GP Friendly name: *Enforce disk quota limit* +- GP name: *DQ_Enforce* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_LogEventOverLimit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. + +If you enable this policy setting, the system records an event when the user reaches their limit. + +If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. + +This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + +ADMX Info: +- GP Friendly name: *Log event when quota limit is exceeded* +- GP name: *DQ_LogEventOverLimit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + +
+ + + +**ADMX_DiskQuota/DQ_LogEventOverThreshold** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. + +If you enable this policy setting, the system records an event. + +If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect. + +If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes. + +To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + +ADMX Info: +- GP Friendly name: *Log event when quota warning level is exceeded* +- GP name: *DQ_LogEventOverThreshold* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + +**ADMX_DiskQuota/DQ_Limit** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies the default disk quota limit and warning level for new users of the volume. +This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit. + +This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. +This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). + +If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. + +This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. + + + + +ADMX Info: +- GP Friendly name: *Specify default quota limit and warning level* +- GP name: *DQ_Limit* +- GP path: *System\Disk Quotas* +- GP ADMX file name: *DiskQuota.admx* + + + + +
+ + + diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md new file mode 100644 index 0000000000..f26e77cac0 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -0,0 +1,249 @@ +--- +title: Policy CSP - ADMX_iSCSI +description: Policy CSP - ADMX_iSCSI +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_iSCSI + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_iSCSI policies + +
+
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +
+
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +
+
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +
+
+ + +
+ + +**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. + +If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of iSNS servers* +- GP name: *iSCSIGeneral_RestrictAdditionalLogins* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + +**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. + +If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + + + + +ADMX Info: +- GP English name: *Do not allow manual configuration of target portals* +- GP name: *iSCSIGeneral_ChangeIQNName* +- GP path: *System\iSCSI\iSCSI Target Discovery* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + +**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +If enabled then do not allow the initiator CHAP secret to be changed. + +If disabled then the initiator CHAP secret may be changed. + + + + + +ADMX Info: +- GP English name: *Do not allow changes to initiator CHAP secret* +- GP name: *iSCSISecurity_ChangeCHAPSecret* +- GP path: *System\iSCSI\iSCSI Security* +- GP ADMX file name: *iSCSI.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md new file mode 100644 index 0000000000..ade211ea40 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -0,0 +1,180 @@ +--- +title: Policy CSP - ADMX_srmfci +description: Policy CSP - ADMX_srmfci +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_srmfci + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_srmfci policies + +
+
+ ADMX_srmfci/EnableShellAccessCheck +
+
+ ADMX_srmfci/AccessDeniedConfiguration +
+
+ + +
+ + +**ADMX_srmfci/EnableShellAccessCheck** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types. + + + + + +ADMX Info: +- GP Friendly name: *Enable access-denied assistance on client for all file types* +- GP name: *EnableShellAccessCheck* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
+ + +**ADMX_srmfci/AccessDeniedConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. + +If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. + +If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration. + +If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. + + + + +ADMX Info: +- GP Friendly name: *Customize message for Access Denied errors* +- GP name: *AccessDeniedConfiguration* +- GP path: *System\Access-Denied Assistance* +- GP ADMX file name: *srmfci.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md new file mode 100644 index 0000000000..53648b8f57 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -0,0 +1,186 @@ +--- +title: Policy CSP - ADMX_TabletShell +description: Policy CSP - ADMX_TabletShell +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TabletShell + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_TabletShell policies + +
+
+ ADMX_TabletShell/DisableInkball_1 +
+
+ ADMX_TabletShell/DisableNoteWriterPrinting_1 +
+
+ + +
+ + +**ADMX_TabletShell/DisableInkball_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Prevents start of InkBall game. + +If you enable this policy, the InkBall game will not run. + +If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run. + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Inkball to run* +- GP name: *DisableInkball_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + + +
+ + +**ADMX_TabletShell/DisableNoteWriterPrinting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Prevents printing to Journal Note Writer. + +If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +If you disable this policy, you will be able to use this feature to print to a Journal Note. If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow printing to Journal Note Writer* +- GP name: *DisableNoteWriterPrinting_1* +- GP path: *Windows Components\Tablet PC\Accessories* +- GP ADMX file name: *TabletShell.admx* + + + +
+ + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md new file mode 100644 index 0000000000..ed42ebde3f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -0,0 +1,192 @@ +--- +title: Policy CSP - ADMX_TerminalServer +description: Policy CSP - ADMX_TerminalServer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TerminalServer + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+ + +## ADMX_TerminalServer policies + +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
+
+ + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. + +If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). + +If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. + +Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. + + + + + +ADMX Info: +- GP Friendly name: *Allow time zone redirection* +- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. + +If you enable this policy setting, users cannot redirect Clipboard data. + +If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. + +If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + + + + + + +ADMX Info: +- GP Friendly name: *Do not allow Clipboard redirection* +- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 2ad51bd5de..554f8d934a 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -455,6 +455,10 @@ items: href: policy-csp-admx-dfs.md - name: ADMX_DigitalLocker href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskNVCache + href: policy-csp-admx-disknvcache.md + - name: ADMX_DiskQuota + href: policy-csp-admx-diskquota.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient @@ -506,7 +510,9 @@ items: - name: ADMX_ICM href: policy-csp-admx-icm.md - name: ADMX_IIS - href: policy-csp-admx-iis.md + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos @@ -599,16 +605,18 @@ items: href: policy-csp-admx-smartcard.md - name: ADMX_Snmp href: policy-csp-admx-snmp.md - - name: ADMX_SoundRec - href: policy-csp-admx-soundrec.md - name: ADMX_StartMenu href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md - name: ADMX_Taskbar href: policy-csp-admx-taskbar.md - name: ADMX_tcpip href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md - name: ADMX_Thumbnails href: policy-csp-admx-thumbnails.md - name: ADMX_TouchInput diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index d5c9651f0f..70b89b04ee 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -1,5 +1,5 @@ --- -title: Smart Card and Remote Desktop Services (Windows 10) +title: Smart Card and Remote Desktop Services (Windows) description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card and Remote Desktop Services -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 63cbad9b26..604f470a49 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -1,5 +1,5 @@ --- -title: Smart Card Architecture (Windows 10) +title: Smart Card Architecture (Windows) description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Architecture -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index dbcf86ee67..32f79fdf8f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -1,5 +1,5 @@ --- -title: Certificate Propagation Service (Windows 10) +title: Certificate Propagation Service (Windows) description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 08/24/2021 ms.reviewer: --- # Certificate Propagation Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation. diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index a220e7e658..7e32d7679f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -1,5 +1,5 @@ --- -title: Certificate Requirements and Enumeration (Windows 10) +title: Certificate Requirements and Enumeration (Windows) description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Certificate Requirements and Enumeration -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in. @@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system. The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider. -| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** | +| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** | |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL= | | Key usage | Digital signature | Digital signature | diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index a084d3c132..b65f0ce66c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -1,5 +1,5 @@ --- -title: Smart Card Troubleshooting (Windows 10) +title: Smart Card Troubleshooting (Windows) description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Troubleshooting -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment. diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index bb93b39cce..b8f7de6f81 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -1,5 +1,5 @@ --- -title: Smart Card Events (Windows 10) +title: Smart Card Events (Windows) description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Events -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 50d2b45bb2..ad5011e9b9 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -1,5 +1,5 @@ --- -title: Smart Card Group Policy and Registry Settings (Windows 10) +title: Smart Card Group Policy and Registry Settings (Windows) description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/23/2021 ms.reviewer: --- # Smart Card Group Policy and Registry Settings -Applies to: Windows 10, Windows Server 2016 +Applies to: Windows 10, Windows 11, Windows Server 2016 and above This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards. diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 9939c9ec73..05d1dbf771 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -1,5 +1,5 @@ --- -title: How Smart Card Sign-in Works in Windows (Windows 10) +title: How Smart Card Sign-in Works in Windows description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # How Smart Card Sign-in Works in Windows -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use: diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index 3f72307e25..c52deb3971 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -1,5 +1,5 @@ --- -title: Smart Card Removal Policy Service (Windows 10) +title: Smart Card Removal Policy Service (Windows) description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,17 +12,17 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Card Removal Policy Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation. -The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). +The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md). **Smart card removal policy service** diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index e4548fc317..ba3e2a4c05 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -1,5 +1,5 @@ --- -title: Smart Cards for Windows Service (Windows 10) +title: Smart Cards for Windows Service (Windows) description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,13 +12,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 ms.reviewer: --- # Smart Cards for Windows Service -Applies To: Windows 10, Windows Server 2016 +Applies To: Windows 10, Windows 11, Windows Server 2016 and above This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions. @@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description: -``` +```PowerShell Never notify< Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on. -Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. +Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app. Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization. @@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl ### Installer detection technology -Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. +Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry. Installer detection only applies to: diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 6f65b3199e..a4ae0b4d3d 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control Group Policy and registry key settings (Windows 10) +title: User Account Control Group Policy and registry key settings (Windows) description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. ms.prod: w10 ms.mktglfcycl: deploy @@ -21,7 +21,8 @@ ms.reviewer: **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above ## Group Policy settings There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings). diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index a95145abaa..263dd2fe27 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -1,5 +1,5 @@ --- -title: User Account Control (Windows 10) +title: User Account Control (Windows) description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38 ms.reviewer: @@ -14,14 +14,15 @@ ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management ms.topic: article -ms.date: 07/27/2017 +ms.date: 09/24/2011 --- # User Account Control **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 793fe303aa..9a6cb42323 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -1,5 +1,5 @@ --- -title: User Account Control security policy settings (Windows 10) +title: User Account Control security policy settings (Windows) description: You can use security policies to configure how User Account Control works in your organization. ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98 ms.reviewer: @@ -14,13 +14,16 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 04/19/2017 +ms.date: 09/24/2021 --- # User Account Control security policy settings **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above + You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.