From 38b90600338c67bfa3d403f953a7e378947ec7bc Mon Sep 17 00:00:00 2001
From: Liz Long <104389055+lizgt2000@users.noreply.github.com>
Date: Thu, 29 Dec 2022 15:34:32 -0500
Subject: [PATCH] devicelock display dmaguard
---
.../mdm/policy-csp-devicelock.md | 1915 ++++++++++-------
.../mdm/policy-csp-display.md | 466 ++--
.../mdm/policy-csp-dmaguard.md | 140 +-
3 files changed, 1478 insertions(+), 1043 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index fc07d7068e..bc7b915aea 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -1,245 +1,215 @@
---
-title: Policy CSP - DeviceLock
-description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state.
+title: DeviceLock Policy CSP
+description: Learn more about the DeviceLock Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 12/29/2022
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 05/16/2022
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DeviceLock
-
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-## DeviceLock policies
-
-
- -
- DeviceLock/AllowIdleReturnWithoutPassword
-
- -
- DeviceLock/AllowSimpleDevicePassword
-
- -
- DeviceLock/AllowScreenTimeoutWhileLockedUserConfig
-
- -
- DeviceLock/AlphanumericDevicePasswordRequired
-
- -
- DeviceLock/DevicePasswordEnabled
-
- -
- DeviceLock/DevicePasswordExpiration
-
- -
- DeviceLock/DevicePasswordHistory
-
- -
- DeviceLock/EnforceLockScreenAndLogonImage
-
- -
- DeviceLock/MaxDevicePasswordFailedAttempts
-
- -
- DeviceLock/MaxInactivityTimeDeviceLock
-
- -
- DeviceLock/MinDevicePasswordComplexCharacters
-
- -
- DeviceLock/MinDevicePasswordLength
-
- -
- DeviceLock/MinimumPasswordAge
-
- -
- DeviceLock/PreventEnablingLockScreenCamera
-
- -
- DeviceLock/PreventLockScreenSlideShow
-
-
-
-
-
-
-> [!Important]
+
+
+[!Important]
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
-
-**DeviceLock/AllowIdleReturnWithoutPassword**
+
-
+
+## AllowIdleReturnWithoutPassword
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|No|No|
-|Education|No|No|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowIdleReturnWithoutPassword
+```
+
-
-
+
+
+Specifies whether the user must input a PIN or password when the device resumes from an idle state.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
-Specifies whether the user must input a PIN or password when the device resumes from an idle state.
-
> [!NOTE]
> This policy must be wrapped in an Atomic command.
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [DeviceLock_AllowIdleReturnWithoutPassword_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
-
-
+
+**Allowed values**:
-
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
-
-**DeviceLock/AllowSimpleDevicePassword**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## AllowScreenTimeoutWhileLockedUserConfig
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowScreenTimeoutWhileLockedUserConfig
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
+
-> [!div class = "checklist"]
-> * Device
+
+
+
-
+
+**Description framework properties**:
-
-
-Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Allow |
+| 0 (Default) | Block |
+
+
+
+
+
+
+
+
+
+## AllowSimpleDevicePassword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowSimpleDevicePassword
+```
+
+
+
+
+Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.
+
+
+
+
> [!NOTE]
> This policy must be wrapped in an Atomic command.
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- 0 (default) – Blocked
-- 1 – Allowed
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [DeviceLock_AllowSimpleDevicePassword_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
-
-
+
+**Allowed values**:
-
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
-
-**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## AlphanumericDevicePasswordRequired
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**DeviceLock/AlphanumericDevicePasswordRequired**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
+
+
+Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0
+
+
+
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
@@ -251,456 +221,31 @@ Determines the type of PIN required. This policy only applies if the **DeviceLoc
> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
>
> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
-
-
-
-The following list shows the supported values:
-
-- 0 – Password or Alphanumeric PIN required.
-- 1 – Password or Numeric PIN required.
-- 2 (default) – Password, Numeric PIN, or Alphanumeric PIN required.
-
-
-
-
-
-
-
-**DeviceLock/DevicePasswordEnabled**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies whether device lock is enabled.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-
-
-> [!IMPORTANT]
-> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
->
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MaxDevicePasswordFailedAttempts
-> - MaxInactivityTimeDeviceLock
-> - MinDevicePasswordComplexCharacters
-
-
-> [!IMPORTANT]
-> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
->
-> - MinDevicePasswordLength is set to 4
-> - MinDevicePasswordComplexCharacters is set to 1
->
-> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
->
-> - MinDevicePasswordLength
-> - MinDevicePasswordComplexCharacters
-
-> [!Important]
-> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
-> - **DevicePasswordEnabled** is the parent policy of the following:
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MinDevicePasswordComplexCharacters
-> - DevicePasswordExpiration
-> - DevicePasswordHistory
-> - MaxDevicePasswordFailedAttempts
-> - MaxInactivityTimeDeviceLock
-
-
-
-The following list shows the supported values:
-
-- 0 (default) – Enabled
-- 1 – Disabled
-
-
-
-
-
-
-
-**DeviceLock/DevicePasswordExpiration**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies when the password expires (in days).
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
-If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-
-
-The following list shows the supported values:
-
-- An integer X where 0 <= X <= 730.
-- 0 (default) - Passwords don't expire.
-
-
-
-
-
-
-
-**DeviceLock/DevicePasswordHistory**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies how many passwords can be stored in the history that can’t be used.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
-
-Max policy value is the most restricted.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-
-
-The following list shows the supported values:
-
-- An integer X where 0 <= X <= 50.
-- 0 (default)
-
-
-
-
-
-
-
-**DeviceLock/EnforceLockScreenAndLogonImage**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies the default lock screen and sign-in image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and sign-in screens. Users won't be able to change this image.
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
-
-
-Value type is a string, which is the full image filepath and filename.
-
-
-
-
-
-
-
-**DeviceLock/MaxDevicePasswordFailedAttempts**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-On a client device, when the user reaches the value set by this policy, it isn't wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker isn't enabled, then the policy can't be enforced.
-
- Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
-
-
-Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-
-
-The following list shows the supported values:
-
-- An integer X where 4 <= X <= 16 for client devices.
-- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
-
-
-
-
-
-
-
-**DeviceLock/MaxInactivityTimeDeviceLock**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
-
-On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-
-
-The following list shows the supported values:
-
-- An integer X where 0 <= X <= 999.
-- 0 (default) - No timeout is defined.
-
-
-
-
-
-
-
-**DeviceLock/MinDevicePasswordComplexCharacters**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-PIN enforces the following behavior for client devices:
-
-- 1 - Digits only
-- 2 - Digits and lowercase letters are required
-- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
-- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens.
-
-The default value is 1. The following list shows the supported values and actual enforced values:
-
-|Account Type|Supported Values|Actual Enforced Values|
-|--- |--- |--- |
-|Local Accounts|1,2,3|3|
-|Microsoft Accounts|1,2|<p2|
-|Domain Accounts|Not supported|Not supported|
-
-
-Enforced values for Local and Microsoft Accounts:
-
-- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
-- Passwords for local accounts must meet the following minimum requirements:
-
- - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- - Be at least six characters in length
- - Contain characters from three of the following four categories:
-
- - English uppercase characters (A through Z)
- - English lowercase characters (a through z)
- - Base 10 digits (0 through 9)
- - Special characters (!, $, \#, %, etc.)
-
-The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-
-
-
-
-
-
-**DeviceLock/MinDevicePasswordLength**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies the minimum number or characters required in the PIN or password.
-
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 2 |
+| Dependency [DeviceLock_AlphanumericDevicePasswordRequired_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Password or Alphanumeric PIN required. |
+| 1 | Password or Numeric PIN required. |
+| 2 (Default) | Password, Numeric PIN, or Alphanumeric PIN required. |
+
+
+
+
> [!NOTE]
> This policy must be wrapped in an Atomic command.
>
@@ -743,168 +288,1020 @@ The following example shows how to set the minimum password length to 4 characte
```
-
-
+
-
+
-
-**DeviceLock/MinimumPasswordAge**
+
+## ClearTextPassword
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/ClearTextPassword
+```
+
+
+
+
+Store passwords using reversible encryption This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Store passwords using reversible encryption |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
+
+## DevicePasswordEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled
+```
+
+
+
+
+Specifies whether device lock is enabled.
+
+
+
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
+
+> [!IMPORTANT]
+> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
+>
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MaxDevicePasswordFailedAttempts
+> - MaxInactivityTimeDeviceLock
+> - MinDevicePasswordComplexCharacters
+
+
+> [!IMPORTANT]
+> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
+>
+> - MinDevicePasswordLength is set to 4
+> - MinDevicePasswordComplexCharacters is set to 1
+>
+> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
+>
+> - MinDevicePasswordLength
+> - MinDevicePasswordComplexCharacters
+
+> [!Important]
+> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
+> - **DevicePasswordEnabled** is the parent policy of the following:
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MinDevicePasswordComplexCharacters
+> - DevicePasswordExpiration
+> - DevicePasswordHistory
+> - MaxDevicePasswordFailedAttempts
+> - MaxInactivityTimeDeviceLock
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Enabled |
+| 1 (Default) | Disabled |
+
+
+
+
+
+
+
+
+
+## DevicePasswordExpiration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordExpiration
+```
+
+
+
+
+Specifies when the password expires (in days).
+
+
+
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-730]` |
+| Default Value | 0 |
+| Dependency [DeviceLock_DevicePasswordExpiration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
-
-
+If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
-
-The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
-
-Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting doesn't follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user doesn't have to choose a new password. For this reason, Enforce password history is set to 1 by default.
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-GP Info:
-- GP Friendly name: *Minimum password age*
-- GP path: *Windows Settings/Security Settings/Account Policies/Password Policy*
+
+The following list shows the supported values:
-
-
+- An integer X where 0 <= X <= 730.
+- 0 (default) - Passwords don't expire.
+
-
+
-
-**DeviceLock/PreventEnablingLockScreenCamera**
+
+## DevicePasswordHistory
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-|Edition|Windows 10|Windows 11|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory
+```
+
+
+
+
+Specifies how many passwords can be stored in the history that can’t be used.
+
+
+
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
+
+Max policy value is the most restricted.
+
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+
+
+
+The following list shows the supported values:
+
+- An integer X where 0 <= X <= 50.
+- 0 (default)
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-50]` |
+| Default Value | 0 |
+| Dependency [DeviceLock_DevicePasswordHistory_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+## EnforceLockScreenAndLogonImage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenAndLogonImage
+```
+
+
+
+
+Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. Value type is a string, which is the full image filepath and filename.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## EnforceLockScreenProvider
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenProvider
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## MaxDevicePasswordFailedAttempts
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxDevicePasswordFailedAttempts
+```
+
+
+
+
+The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
+
+**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.
+
+
+
+
+The following list shows the supported values:
+
+- An integer X where 4 <= X <= 16 for client devices.
+- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 0 |
+| Dependency [DeviceLock_MaxDevicePasswordFailedAttempts_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+## MaximumPasswordAge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaximumPasswordAge
+```
+
+
+
+
+This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
+
+**Note**: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Maximum password age |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
+
+## MaxInactivityTimeDeviceLock
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock
+```
+
+
+
+
+The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-999]` |
+| Default Value | 0 |
+| Dependency [DeviceLock_MaxInactivityTimeDeviceLock_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+## MaxInactivityTimeDeviceLockWithExternalDisplay
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
+```
+
+
+
+
+Sets the maximum timeout value for the external display.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-999]` |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## MinDevicePasswordComplexCharacters
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters
+```
+
+
+
+
+The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
+
+
+
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
+
+PIN enforces the following behavior for client devices:
+
+- 1 - Digits only
+- 2 - Digits and lowercase letters are required
+- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
+- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens.
+
+The default value is 1. The following list shows the supported values and actual enforced values:
+
+|Account Type|Supported Values|Actual Enforced Values|
|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+|Local Accounts|1,2,3|3|
+|Microsoft Accounts|1,2|<p2|
+|Domain Accounts|Not supported|Not supported|
-
-
+Enforced values for Local and Microsoft Accounts:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
+- Passwords for local accounts must meet the following minimum requirements:
-> [!div class = "checklist"]
-> * Device
+ - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+ - Be at least six characters in length
+ - Contain characters from three of the following four categories:
-
+ - English uppercase characters (A through Z)
+ - English lowercase characters (a through z)
+ - Base 10 digits (0 through 9)
+ - Special characters (!, $, \#, %, etc.)
-
-
-Disables the lock screen camera toggle-switch in PC Settings and prevents a camera from being invoked on the lock screen.
+The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
+
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [DeviceLock_MinDevicePasswordComplexCharacters_DependencyGroup] | Dependency Type: `DependsOn DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired`
Dependency Allowed Value: `[0] [0]`
Dependency Allowed Value Type: `Range Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Digits only |
+| 2 | Digits and lowercase letters are required |
+| 3 | Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts |
+| 4 | Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop |
+
+
+
+
+
+
+
+
+
+## MinDevicePasswordLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength
+```
+
+
+
+
+Specifies the minimum number or characters required in the PIN or password.
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[4-16]` |
+| Default Value | 4 |
+| Dependency [DeviceLock_MinDevicePasswordLength_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
Dependency Allowed Value: `[0]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
+
+
+
+Max policy value is the most restricted.
+
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
+The following list shows the supported values:
+
+- An integer X where 4 <= X <= 16 for client devices. However, local accounts will always enforce a minimum password length of 6.
+- Not enforced.
+- The default value is 4 for client devices.
+
+
+
+**Example**:
+
+The following example shows how to set the minimum password length to 4 characters.
+
+```xml
+
+
+
+ $CmdID$
+ -
+
+ ./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength
+
+
+ int
+
+ 4
+
+
+
+
+
+```
+
+
+
+
+
+## MinimumPasswordAge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge
+```
+
+
+
+
+This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-998]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Minimum password age |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
+
+## PasswordComplexity
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordComplexity
+```
+
+
+
+
+Password must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Password must meet complexity requirements |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
+
+## PasswordHistorySize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordHistorySize
+```
+
+
+
+
+Minimum password length This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
+
+**Note**: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-24]` |
+| Default Value | 7 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Minimum password length |
+| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
+
+
+
+
+
+
+
+
+
+## PreventEnablingLockScreenCamera
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventEnablingLockScreenCamera
+```
+
+
+
+
+Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
By default, users can enable invocation of an available camera on the lock screen.
-If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera can't be invoked on the lock screen.
+If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen.
+
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-ADMX Info:
-- GP Friendly name: *Prevent enabling lock screen camera*
-- GP name: *CPL_Personalization_NoLockScreenCamera*
-- GP path: *Control Panel/Personalization*
-- GP ADMX file name: *ControlPanelDisplay.admx*
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | CPL_Personalization_NoLockScreenCamera |
+| Friendly Name | Prevent enabling lock screen camera |
+| Location | Computer Configuration |
+| Path | Control Panel > Personalization |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
+| Registry Value Name | NoLockScreenCamera |
+| ADMX File Name | ControlPanelDisplay.admx |
+
-
+
+
+
-
-**DeviceLock/PreventLockScreenSlideShow**
+
-
+
+## PreventLockScreenSlideShow
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow
+```
+
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Disables the lock screen slideshow settings in PC Settings and prevents a slide show from playing on the lock screen.
+
+
+Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
By default, users can enable a slide show that will run after they lock the machine.
If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
+
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-ADMX Info:
-- GP Friendly name: *Prevent enabling lock screen slide show*
-- GP name: *CPL_Personalization_NoLockScreenSlideshow*
-- GP path: *Control Panel/Personalization*
-- GP ADMX file name: *ControlPanelDisplay.admx*
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | CPL_Personalization_NoLockScreenSlideshow |
+| Friendly Name | Prevent enabling lock screen slide show |
+| Location | Computer Configuration |
+| Path | Control Panel > Personalization |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization |
+| Registry Value Name | NoLockScreenSlideshow |
+| ADMX File Name | ControlPanelDisplay.admx |
+
-
+
+
+
+
+
+## ScreenTimeoutWhileLocked
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-## Related topics
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceLock/ScreenTimeoutWhileLocked
+```
+
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+
+
+Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[10-1800]` |
+| Default Value | 10 |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 8e0295af7e..e692af7ae2 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,118 +1,105 @@
---
-title: Policy CSP - Display
-description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications.
+title: Display Policy CSP
+description: Learn more about the Display Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 12/29/2022
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Display
-
+
+
+
-
-## Display policies
+
+## DisablePerProcessDpiForApps
-
- -
- Display/DisablePerProcessDpiForApps
-
- -
- Display/EnablePerProcessDpi
-
- -
- Display/EnablePerProcessDpiForApps
-
- -
- Display/TurnOffGdiDPIScalingForApps
-
- -
- Display/TurnOnGdiDPIScalingForApps
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/DisablePerProcessDpiForApps
+```
+
-
-
-
-**Display/DisablePerProcessDpiForApps**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
-
-
-ADMX Info:
-- GP Friendly name: *Configure Per-Process System DPI settings*
-- GP name: *DisplayPerProcessSystemDpiSettings*
-- GP element: *DisplayDisablePerProcessSystemDpiSettings*
-- GP path: *System/Display*
-- GP ADMX file name: *Display.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
-
-**Display/EnablePerProcessDpi**
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DisplayPerProcessSystemDpiSettings |
+| Friendly Name | Configure Per-Process System DPI settings |
+| Element Name | Disable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
+| Location | Computer and User Configuration |
+| Path | System > Display |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
+| ADMX File Name | Display.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
+
-
-
+
+## EnablePerProcessDpi
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-> [!div class = "checklist"]
-> * User
-> * Device
+
+```User
+./User/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi
+```
-
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi
+```
+
-
-
+
+
+Enable or disable Per-Process System DPI for all applications.
+
+
+
+
Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows.
When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows.
@@ -126,100 +113,122 @@ Per Process System DPI won't work for all applications as some older desktop app
In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or don't configure this setting, Per Process System DPI won't apply to any processes on the system.
+
-
-
-ADMX Info:
-- GP Friendly name: *Configure Per-Process System DPI settings*
-- GP name: *DisplayPerProcessSystemDpiSettings*
-- GP element: *DisplayGlobalPerProcessSystemDpiSettings*
-- GP path: *System/Display*
-- GP ADMX file name: *Display.admx*
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
-- 0 - Disable.
-- 1 - Enable.
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 | Disable. |
+| 1 | Enable. |
+
-
+
+**Group policy mapping**:
-
-**Display/EnablePerProcessDpiForApps**
+| Name | Value |
+|:--|:--|
+| Name | DisplayPerProcessSystemDpiSettings |
+| Friendly Name | Configure Per-Process System DPI settings |
+| Element Name | Enable or disable Per-Process System DPI for all applications. |
+| Location | Computer and User Configuration |
+| Path | System > Display |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
+| ADMX File Name | Display.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## EnablePerProcessDpiForApps
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpiForApps
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
-
-
-ADMX Info:
-- GP Friendly name: *Configure Per-Process System DPI settings*
-- GP name: *DisplayPerProcessSystemDpiSettings*
-- GP element: *DisplayEnablePerProcessSystemDpiSettings*
-- GP path: *System/Display*
-- GP ADMX file name: *Display.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
-
-**Display/TurnOffGdiDPIScalingForApps**
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DisplayPerProcessSystemDpiSettings |
+| Friendly Name | Configure Per-Process System DPI settings |
+| Element Name | Enable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
+| Location | Computer and User Configuration |
+| Path | System > Display |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
+| ADMX File Name | Display.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
+
-
-
+
+## TurnOffGdiDPIScalingForApps
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/TurnOffGdiDPIScalingForApps
+```
+
-
+
+
+This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+
-
-
+
+
GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
@@ -229,58 +238,68 @@ If you enable this policy setting, GDI DPI Scaling is turned off for all applica
If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn off GdiDPIScaling for applications*
-- GP name: *DisplayTurnOffGdiDPIScaling*
-- GP element: *DisplayTurnOffGdiDPIScalingPrompt*
-- GP path: *System/Display*
-- GP ADMX file name: *Display.admx*
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisplayTurnOffGdiDPIScaling |
+| Friendly Name | Turn off GdiDPIScaling for applications |
+| Element Name | Disable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
+| Location | Computer Configuration |
+| Path | System > Display |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
+| ADMX File Name | Display.admx |
+
+
+
+
+**Validate**:
-
-
To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
2. Run the app and observe blurry text.
Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address.
-
+
-
+
-
-**Display/TurnOnGdiDPIScalingForApps**
+
+## TurnOnGdiDPIScalingForApps
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/TurnOnGdiDPIScalingForApps
+```
+
+
+
+This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
-
+
+
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
@@ -288,31 +307,50 @@ If you enable this policy setting, GDI DPI Scaling is turned on for all legacy a
If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn on GdiDPIScaling for applications*
-- GP name: *DisplayTurnOnGdiDPIScaling*
-- GP element: *DisplayTurnOnGdiDPIScalingPrompt*
-- GP path: *System/Display*
-- GP ADMX file name: *Display.admx*
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisplayTurnOnGdiDPIScaling |
+| Friendly Name | Turn on GdiDPIScaling for applications |
+| Element Name | Enable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
+| Location | Computer Configuration |
+| Path | System > Display |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
+| ADMX File Name | Display.admx |
+
+
+
+
+**Validate**:
-
-
To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which uses GDI.
2. Run the app and observe crisp text.
+
-
-
-
+
+
+
+
+
-
+## Related articles
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 8de9e8a848..0cf55a401e 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -1,101 +1,101 @@
---
-title: Policy CSP - DmaGuard
-description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices.
+title: DmaGuard Policy CSP
+description: Learn more about the DmaGuard Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 12/29/2022
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DmaGuard
-
+
+
+
-
-## DmaGuard policies
+
+## DeviceEnumerationPolicy
-
- -
- DmaGuard/DeviceEnumerationPolicy
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy
+```
+
-
+
+
+Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system.
-
-**DmaGuard/DeviceEnumerationPolicy**
+**Note**: this policy does not apply to 1394, PCMCIA or ExpressCard devices.
+
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
+
-> [!NOTE]
-> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
+
+**Description framework properties**:
-The following are the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
+
+**Allowed values**:
-1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen.
+| Value | Description |
+|:--|:--|
+| 0 | Block all (Most restrictive) |
+| 1 (Default) | Only after log in/screen unlock |
+| 2 | Allow all (Least restrictive) |
+
-2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time
+
+**Group policy mapping**:
-
-
-ADMX Info:
-- GP Friendly name: *Enumeration policy for external devices incompatible with Kernel DMA Protection*
-- GP name: *DmaGuardEnumerationPolicy*
-- GP path: *System/Kernel DMA Protection*
-- GP ADMX file name: *dmaguard.admx*
+| Name | Value |
+|:--|:--|
+| Name | DmaGuardEnumerationPolicy |
+| Friendly Name | Enumeration policy for external devices incompatible with Kernel DMA Protection |
+| Location | Computer Configuration |
+| Path | System > Kernel DMA Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Kernel DMA Protection |
+| ADMX File Name | DmaGuard.admx |
+
-
-
+
+
+
-
-
+
-
-
+
+
+
-
-
-
+
-
+## Related articles
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)