From 38fc7a84a883c174914522e370a1bce94de721b3 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 17 Jan 2022 18:50:18 +0530 Subject: [PATCH] Updated --- .../policy-configuration-service-provider.md | 11 ++ .../mdm/policy-csp-remotedesktop.md | 159 ++---------------- windows/client-management/mdm/toc.yml | 2 + 3 files changed, 28 insertions(+), 144 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 02259ae42b..b49ece94c1 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -8179,6 +8179,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### RemoteDesktop policies + +
+
+ RemoteDesktop/AutoSubscription +
+
+ RemoteDesktop/LoadAadCredKeyFromProfile +
+
+ ### RemoteDesktopServices policies
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 19de9949ac..5941d52099 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -64,6 +64,8 @@ manager: dansimp +This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. + @@ -105,160 +107,29 @@ ADMX Info: -This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. - -If you enable this policy setting, log files are generated. - -If you disable this policy setting, log files are not generated. - -If you do not configure this setting, application-based settings are used. +This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. + +The following list shows the supported values: + +- 0 (default) - Disabled. +- 1 - Enabled. + + + ADMX Info: -- GP Friendly name: *Turn on session logging* -- GP name: *RA_Logging* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* +- GP Friendly name: *Allow DPAPI cred keys to be loaded from user profiles during logon for AADJ accounts* +- GP name: *LoadAadCredKeyFromProfile* +- GP path: *System/RemoteDesktop* +- GP ADMX file name: *remotedesktop.admx*
- -**RemoteAssistance/SolicitedRemoteAssistance** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. - -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. - -If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. - -If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. - -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." - -The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. - -The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. - -If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. - - - - -ADMX Info: -- GP Friendly name: *Configure Solicited Remote Assistance* -- GP name: *RA_Solicit* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* - - - - -
- - -**RemoteAssistance/UnsolicitedRemoteAssistance** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. - -If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. - -If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. - -If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. - -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. - -To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: - -`\` or - -`\` - -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. - -Windows Vista and later - -Enable the Remote Assistance exception for the domain profile. The exception must contain: -Port 135:TCP -%WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe - -Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) - -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe - -For computers running Windows Server 2003 with Service Pack 1 (SP1) - -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -Allow Remote Desktop Exception - - - - -ADMX Info: -- GP Friendly name: *Configure Offer Remote Assistance* -- GP name: *RA_Unsolicit* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* - - - -
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 8b642d0a06..91abc4caea 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -765,6 +765,8 @@ items: href: policy-csp-privacy.md - name: RemoteAssistance href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md - name: RemoteDesktopServices href: policy-csp-remotedesktopservices.md - name: RemoteManagement