deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

bring even with main, fix merge conflict

Browse Source
This commit is contained in:
Aaron Czechowski 2024-02-05 15:31:27 -08:00
commit 3aeeb960e8
376 changed files with 7095 additions and 6727 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.redirection.json
View File

@ -1757,7 +1757,7 @@
}, },
{ {
"source_path": "windows/deploy/deploy-whats-new.md", "source_path": "windows/deploy/deploy-whats-new.md",
"redirect_url": "/windows/deployment/deploy-whats-new", "redirect_url": "/windows/deployment/",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {

185
.openpublishing.redirection.windows-configuration.json
View File

@ -389,6 +389,191 @@
"source_path": "windows/configuration/windows-diagnostic-data.md", "source_path": "windows/configuration/windows-diagnostic-data.md",
"redirect_url": "/windows/privacy/windows-diagnostic-data", "redirect_url": "/windows/privacy/windows-diagnostic-data",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/configuration/changes-to-start-policies-in-windows-10.md",
"redirect_url": "/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/configure-windows-10-taskbar.md",
"redirect_url": "/windows/configuration/taskbar/configure-windows-10-taskbar",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/customize-and-export-start-layout.md",
"redirect_url": "/windows/configuration/start/customize-and-export-start-layout",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/customize-start-menu-layout-windows-11.md",
"redirect_url": "/windows/configuration/start/customize-start-menu-layout-windows-11",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/customize-taskbar-windows-11.md",
"redirect_url": "/windows/configuration/taskbar/customize-taskbar-windows-11",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md",
"redirect_url": "/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md",
"redirect_url": "/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md",
"redirect_url": "/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/find-the-application-user-model-id-of-an-installed-app.md",
"redirect_url": "/windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/guidelines-for-assigned-access-app.md",
"redirect_url": "/windows/configuration/kiosk/guidelines-for-assigned-access-app",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-additional-reference.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-additional-reference",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-mdm-bridge.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-mdm-bridge",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-methods.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-methods",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-policies.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-policies",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-prepare.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-prepare",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-shelllauncher.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-shelllauncher",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-single-app.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-single-app",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-validate.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-validate",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/kiosk-xml.md",
"redirect_url": "/windows/configuration/kiosk/kiosk-xml",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/lockdown-features-windows-10.md",
"redirect_url": "/windows/configuration/kiosk/lockdown-features-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/lock-down-windows-10-applocker.md",
"redirect_url": "/windows/configuration/kiosk/lock-down-windows-10-applocker",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/lock-down-windows-10-to-specific-apps.md",
"redirect_url": "/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/lock-down-windows-11-to-specific-apps.md",
"redirect_url": "/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/manage-tips-and-suggestions.md",
"redirect_url": "/windows/configuration/tips/manage-tips-and-suggestions",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/provisioning-apn.md",
"redirect_url": "/windows/configuration/cellular/provisioning-apn",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/setup-digital-signage.md",
"redirect_url": "/windows/configuration/kiosk/setup-digital-signage",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/set-up-shared-or-guest-pc.md",
"redirect_url": "/windows/configuration/shared-pc/set-up-shared-or-guest-pc",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/shared-devices-concepts.md",
"redirect_url": "/windows/configuration/shared-pc/shared-devices-concepts",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/shared-pc-technical.md",
"redirect_url": "/windows/configuration/shared-pc/shared-pc-technical",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/start-layout-xml-desktop.md",
"redirect_url": "/windows/configuration/start/start-layout-xml-desktop",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/start-secondary-tiles.md",
"redirect_url": "/windows/configuration/start/start-secondary-tiles",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/stop-employees-from-using-microsoft-store.md",
"redirect_url": "/windows/configuration/store/stop-employees-from-using-microsoft-store",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/supported-csp-start-menu-layout-windows.md",
"redirect_url": "/windows/configuration/start/supported-csp-start-menu-layout-windows",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/supported-csp-taskbar-windows.md",
"redirect_url": "/windows/configuration/taskbar/supported-csp-taskbar-windows",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/windows-10-start-layout-options-and-policies.md",
"redirect_url": "/windows/configuration/start/windows-10-start-layout-options-and-policies",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/windows-accessibility-for-ITPros.md",
"redirect_url": "/windows/configuration/accessibility",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/windows-spotlight.md",
"redirect_url": "/windows/configuration/lock-screen/windows-spotlight",
"redirect_document_id": false
} }
] ]
} }

12
.openpublishing.redirection.windows-deployment.json
View File

@ -187,7 +187,7 @@
}, },
{ {
"source_path": "windows/deployment/update/change-history-for-update-windows-10.md", "source_path": "windows/deployment/update/change-history-for-update-windows-10.md",
"redirect_url": "/windows/deployment/deploy-whats-new", "redirect_url": "/windows/deployment/",
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
@ -1114,6 +1114,16 @@
"source_path": "windows/deployment/windows-autopilot/windows-autopilot.md", "source_path": "windows/deployment/windows-autopilot/windows-autopilot.md",
"redirect_url": "/mem/autopilot/windows-autopilot", "redirect_url": "/mem/autopilot/windows-autopilot",
"redirect_document_id": false "redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-whats-new.md",
"redirect_url": "/windows/deployment/",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/Windows-AutoPilot-EULA-note.md",
"redirect_url": "/legal/windows/windows-autopilot-eula-note",
"redirect_document_id": false
} }
] ]
} }

0
browsers/edge/images/config-open-me-with-scenarios-tab.PNG → browsers/edge/images/config-open-me-with-scenarios-tab.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 51 KiB

4
education/docfx.json
View File

@ -34,8 +34,8 @@
"education", "education",
"tier2" "tier2"
], ],
"ms.prod": "windows-client", "ms.subservice": "itpro-edu",
"ms.technology": "itpro-edu", "ms.service": "windows-client",
"author": "paolomatarazzo", "author": "paolomatarazzo",
"ms.author": "paoloma", "ms.author": "paoloma",
"manager": "aaroncz", "manager": "aaroncz",

8
education/includes/education-content-updates.md
View File

@ -2,6 +2,14 @@
## Week of January 29, 2024
| Published On |Topic title | Change |
|------|------------|--------|
| 1/30/2024 | [Microsoft 365 Education Documentation](/education/index) | modified |
## Week of January 15, 2024 ## Week of January 15, 2024

2
education/windows/configure-aad-google-trust.md
View File

@ -26,7 +26,7 @@ To test federation, the following prerequisites must be met:
1. A Google Workspace environment, with users already created 1. A Google Workspace environment, with users already created
> [!IMPORTANT] > [!IMPORTANT]
> Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID. > Users require an email address defined in Google Workspace, which is used to match the users in Microsoft Entra ID.
> For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-azure-ad). > For more information about identity matching, see [Identity matching in Microsoft Entra ID](federated-sign-in.md#identity-matching-in-microsoft-entra-id).
1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example: 1. Individual Microsoft Entra accounts already created: each Google Workspace user will require a matching account defined in Microsoft Entra ID. These accounts are commonly created through automated solutions, for example:
- School Data Sync (SDS) - School Data Sync (SDS)
- Microsoft Entra Connect Sync for environment with on-premises AD DS - Microsoft Entra Connect Sync for environment with on-premises AD DS

6
education/windows/federated-sign-in.md
View File

@ -46,7 +46,7 @@ To enable a federated sign-in experience, the following prerequisites must be me
- PowerShell scripts that call the [Microsoft Graph API][GRAPH-1] - PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
- provisioning tools offered by the IdP - provisioning tools offered by the IdP
For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad). For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-microsoft-entra-id).
1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2] 1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student 1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student
@ -201,8 +201,6 @@ The following issues are known to affect student shared devices:
For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3]. For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3].
<a name='preferred-azure-ad-tenant-name'></a>
### Preferred Microsoft Entra tenant name ### Preferred Microsoft Entra tenant name
To improve the user experience, you can configure the *preferred Microsoft Entra tenant name* feature.\ To improve the user experience, you can configure the *preferred Microsoft Entra tenant name* feature.\
@ -210,8 +208,6 @@ When using preferred Microsoft Entra tenant name, the users bypass the disambigu
For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4]. For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
<a name='identity-matching-in-azure-ad'></a>
### Identity matching in Microsoft Entra ID ### Identity matching in Microsoft Entra ID
When a Microsoft Entra user is federated, the user's identity from the IdP must match an existing user object in Microsoft Entra ID. When a Microsoft Entra user is federated, the user's identity from the IdP must match an existing user object in Microsoft Entra ID.

0
education/windows/images/setedupolicies_omauri.PNG → education/windows/images/setedupolicies_omauri.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

0
education/windows/images/suspcs/suspc_getstarted_050817.PNG → education/windows/images/suspcs/suspc_getstarted_050817.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 64 KiB

0
education/windows/images/suspcs/suspc_runpackage_getpcsready.PNG → education/windows/images/suspcs/suspc_runpackage_getpcsready.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 54 KiB

0
education/windows/images/wcd/setedupolicies.PNG → education/windows/images/wcd/setedupolicies.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 83 KiB

After

Width:  |  Height:  |  Size: 83 KiB

0
education/windows/images/wcd/wcd_settings_assignedaccess.PNG → education/windows/images/wcd/wcd_settings_assignedaccess.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 60 KiB

2
education/windows/index.yml
View File

@ -6,8 +6,6 @@ brand: windows
metadata: metadata:
ms.topic: hub-page ms.topic: hub-page
ms.prod: windows-client
ms.technology: itpro-edu
ms.collection: ms.collection:
- education - education
- tier1 - tier1

4
education/windows/toc.yml
View File

@ -47,7 +47,7 @@ items:
- name: Configure federation between Google Workspace and Microsoft Entra ID - name: Configure federation between Google Workspace and Microsoft Entra ID
href: configure-aad-google-trust.md href: configure-aad-google-trust.md
- name: Configure Shared PC - name: Configure Shared PC
href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context href: /windows/configuration/shared-pc/set-up-shared-or-guest-pc?context=/education/context/context
- name: Get and deploy Minecraft Education - name: Get and deploy Minecraft Education
href: get-minecraft-for-education.md href: get-minecraft-for-education.md
- name: Use the Set up School PCs app - name: Use the Set up School PCs app
@ -65,6 +65,6 @@ items:
- name: Take a Test technical reference - name: Take a Test technical reference
href: take-a-test-app-technical.md href: take-a-test-app-technical.md
- name: Shared PC technical reference - name: Shared PC technical reference
href: /windows/configuration/shared-pc-technical?context=/education/context/context href: /windows/configuration/shared-pc/shared-pc-technical?context=/education/context/context

0
store-for-business/images/msfb-add-collection.PNG → store-for-business/images/msfb-add-collection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

0
store-for-business/images/wsfb-private-store-gpo.PNG → store-for-business/images/wsfb-private-store-gpo.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/images/bing-chat-enterprise-chat-provider.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/client-management/images/copilot-commercial-data-protection-chat-provider.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
windows/client-management/images/work-toggle-graph-grounded-chat.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

29
windows/client-management/manage-windows-copilot.md
View File

@ -3,7 +3,7 @@ title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: conceptual ms.topic: conceptual
ms.subservice: windows-copilot ms.subservice: windows-copilot
ms.date: 02/01/2024 ms.date: 02/05/2024
ms.author: mstewart ms.author: mstewart
author: mestew author: mestew
appliesto: appliesto:
@ -40,7 +40,7 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t
## Chat provider platforms for Copilot in Windows ## Chat provider platforms for Copilot in Windows
Copilot in Windows can use either Microsoft Copilot or Copilot with commercial data protection as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections. Copilot in Windows can use either Microsoft Copilot, Copilot with commercial data protection, or Copilot with Graph-grounded chat as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform is important because it's possible for users to copy and paste sensitive information into the chat. Each chat provider platform has different privacy and security protections.
### Copilot ### Copilot
@ -49,12 +49,14 @@ Copilot is a consumer experience and has a daily limit on the number of chat que
- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a)
- The privacy statement for using Copilot follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. - The privacy statement for using Copilot follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section.
> [!Note]
> Copilot doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps.
### Copilot with commercial data protection ### Copilot with commercial data protection
[Copilot with commercial data protection](/copilot/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Copilot with commercial data protection: [Copilot with commercial data protection](/copilot/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Copilot with commercial data protection:
- User and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing app for iOS or Android aren't currently supported. Copilot with commercial data protection is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Copilot with commercial data protection [privacy statement](/copilot/privacy-and-protections). - User and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models (LLMs). Because of this protection, chat history, 3rd-party plugins, and the Bing app for iOS or Android aren't currently supported. Copilot with commercial data protection is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Copilot with commercial data protection [privacy statement](/copilot/privacy-and-protections).
- Copilot with commercial data protection is available, at no additional cost, for the following licenses: - Copilot with commercial data protection is available, at no additional cost, for the following licenses:
- Microsoft 365 E3 or E5 - Microsoft 365 E3 or E5
- Microsoft 365 F3 <!--8681080, 8681034--> - Microsoft 365 F3 <!--8681080, 8681034-->
@ -66,7 +68,16 @@ Copilot is a consumer experience and has a daily limit on the number of chat que
- Microsoft 365 Business Premium - Microsoft 365 Business Premium
> [!Note] > [!Note]
> Copilot doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. > Copilot with commercial data protection doesn't have access to Microsoft 365 Apps data, such as email, calendar, or files using Microsoft Graph, unlike [Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps.
### Microsoft Copilot with Graph-grounded chat
<!---8639813-->
Copilot with Graph-grounded chat enables you to use your work content and context in Copilot for Windows. With Graph-grounded chat, you can draft content and get answers to questions, all securely grounded in your Microsoft Graph data such as user documents, emails, calendar, chats, meetings, and contacts. When you use the **Work** toggle in Copilot in Windows to query Graph-grounded chat, the following high-level privacy and security protections apply:
- Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundational LLMs.
- It only surfaces organizational data to which individual users have at least view permissions.
- The information contained within your prompts, the data retrieved, and the generated responses remain within your tenant's service boundary. For more information about privacy and security for Graph-grounded chat, see [Data, Privacy, and Security for Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-privacy)
- Copilot with Graph-grounded chat is part of Copilot for Microsoft 365. Copilot for Microsoft 365 is an add-on plan. For more information about prerequisites and license requirements, see [Microsoft Copilot for Microsoft 365 requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements#license-requirements).
## Configure the chat provider platform that Copilot in Windows uses ## Configure the chat provider platform that Copilot in Windows uses
@ -126,7 +137,15 @@ $users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq
When Copilot with commercial data protection is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed in this scenario: When Copilot with commercial data protection is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed in this scenario:
:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Copilot with commercial data protection is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: :::image type="content" source="images/copilot-commercial-data-protection-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Copilot with commercial data protection is the chat provider." lightbox="images/copilot-commercial-data-protection-chat-provider.png":::
### Copilot with Graph-grounded chat as the chat provider platform
<!---8639813-->
When users are assigned [Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-setup) licenses, they're automatically presented with a **Work** toggle in Copilot for Windows. When **Work** is selected, Copilot with Graph-grounded chat is the chat provider platform used by Copilot in Windows. When using Graph-grounded chat, user prompts can securely access Microsoft Graph content, such as emails, chats, and documents.
:::image type="content" source="images/work-toggle-graph-grounded-chat.png" alt-text="Screenshot of the Copilot in Windows user experience when the work toggle is selected and the chart provider is Copilot with Graph-grounded chat." lightbox="images/work-toggle-graph-grounded-chat.png":::
## Ensure the Copilot in Windows user experience is enabled ## Ensure the Copilot in Windows user experience is enabled

48
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -1,7 +1,7 @@
--- ---
title: ApplicationControl DDF file title: ApplicationControl DDF file
description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider. description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -313,6 +313,50 @@ The following XML file contains the device description framework (DDF) for the A
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>BasePolicyId</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The BasePolicyId of the Policy Indicated by the Policy GUID</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>BasePolicyId</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PolicyOptions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The PolicyOptions of the Policy Indicated by the Policy GUID</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PolicyOptions</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node> </Node>
</Node> </Node>
</Node> </Node>

82
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: ApplicationControl CSP title: ApplicationControl CSP
description: Learn more about the ApplicationControl CSP. description: Learn more about the ApplicationControl CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -24,12 +24,14 @@ The following list shows the ApplicationControl configuration service provider n
- [{Policy GUID}](#policiespolicy-guid) - [{Policy GUID}](#policiespolicy-guid)
- [Policy](#policiespolicy-guidpolicy) - [Policy](#policiespolicy-guidpolicy)
- [PolicyInfo](#policiespolicy-guidpolicyinfo) - [PolicyInfo](#policiespolicy-guidpolicyinfo)
- [BasePolicyId](#policiespolicy-guidpolicyinfobasepolicyid)
- [FriendlyName](#policiespolicy-guidpolicyinfofriendlyname) - [FriendlyName](#policiespolicy-guidpolicyinfofriendlyname)
- [IsAuthorized](#policiespolicy-guidpolicyinfoisauthorized) - [IsAuthorized](#policiespolicy-guidpolicyinfoisauthorized)
- [IsBasePolicy](#policiespolicy-guidpolicyinfoisbasepolicy) - [IsBasePolicy](#policiespolicy-guidpolicyinfoisbasepolicy)
- [IsDeployed](#policiespolicy-guidpolicyinfoisdeployed) - [IsDeployed](#policiespolicy-guidpolicyinfoisdeployed)
- [IsEffective](#policiespolicy-guidpolicyinfoiseffective) - [IsEffective](#policiespolicy-guidpolicyinfoiseffective)
- [IsSystemPolicy](#policiespolicy-guidpolicyinfoissystempolicy) - [IsSystemPolicy](#policiespolicy-guidpolicyinfoissystempolicy)
- [PolicyOptions](#policiespolicy-guidpolicyinfopolicyoptions)
- [Status](#policiespolicy-guidpolicyinfostatus) - [Status](#policiespolicy-guidpolicyinfostatus)
- [Version](#policiespolicy-guidpolicyinfoversion) - [Version](#policiespolicy-guidpolicyinfoversion)
- [Tokens](#tokens) - [Tokens](#tokens)
@ -200,6 +202,45 @@ Information Describing the Policy indicated by the GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-End --> <!-- Device-Policies-{Policy GUID}-PolicyInfo-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/BasePolicyId
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/BasePolicyId
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Description-Begin -->
<!-- Description-Source-DDF -->
The BasePolicyId of the Policy Indicated by the Policy GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Begin --> <!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/FriendlyName ##### Policies/{Policy GUID}/PolicyInfo/FriendlyName
@ -446,6 +487,45 @@ TRUE/FALSE if the Policy is a System Policy, that's a policy managed by Microsof
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-End --> <!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/PolicyOptions
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/PolicyOptions
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Description-Begin -->
<!-- Description-Source-DDF -->
The PolicyOptions of the Policy Indicated by the Policy GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Begin --> <!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/Status ##### Policies/{Policy GUID}/PolicyInfo/Status

3
windows/client-management/mdm/certificatestore-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: CertificateStore CSP title: CertificateStore CSP
description: Learn more about the CertificateStore CSP. description: Learn more about the CertificateStore CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -2384,6 +2384,7 @@ Optional. Notify the client whether enrollment server supports ROBO auto certifi
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| true (Default) | True. | | true (Default) | True. |
| false | False. |
<!-- Device-MY-WSTEP-Renew-ROBOSupport-AllowedValues-End --> <!-- Device-MY-WSTEP-Renew-ROBOSupport-AllowedValues-End -->
<!-- Device-MY-WSTEP-Renew-ROBOSupport-Examples-Begin --> <!-- Device-MY-WSTEP-Renew-ROBOSupport-Examples-Begin -->

8
windows/client-management/mdm/certificatestore-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: CertificateStore DDF file title: CertificateStore DDF file
description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider. description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -1252,6 +1252,10 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Value>true</MSFT:Value> <MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>True</MSFT:ValueDescription> <MSFT:ValueDescription>True</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>False</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>

10
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: ClientCertificateInstall CSP title: ClientCertificateInstall CSP
description: Learn more about the ClientCertificateInstall CSP. description: Learn more about the ClientCertificateInstall CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -392,7 +392,7 @@ When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the s
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Get, Replace | | Access Type | Add, Get, Replace |
| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-DFProperties-End --> <!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-DFProperties-End -->
<!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Examples-Begin --> <!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Examples-Begin -->
@ -492,7 +492,7 @@ The PFX isn't exportable when it's installed to TPM.
| Format | `bool` | | Format | `bool` |
| Access Type | Add, Get, Replace | | Access Type | Add, Get, Replace |
| Default Value | true | | Default Value | true |
| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-PFXCertInstall-{UniqueID}-PFXKeyExportable-DFProperties-End --> <!-- Device-PFXCertInstall-{UniqueID}-PFXKeyExportable-DFProperties-End -->
<!-- Device-PFXCertInstall-{UniqueID}-PFXKeyExportable-AllowedValues-Begin --> <!-- Device-PFXCertInstall-{UniqueID}-PFXKeyExportable-AllowedValues-Begin -->
@ -1968,7 +1968,7 @@ When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the s
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Get, Replace | | Access Type | Add, Get, Replace |
| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-DFProperties-End --> <!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-DFProperties-End -->
<!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Examples-Begin --> <!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Examples-Begin -->
@ -2066,7 +2066,7 @@ Optional. Used to specify if the private key installed is exportable (can be exp
| Format | `bool` | | Format | `bool` |
| Access Type | Add, Get, Replace | | Access Type | Add, Get, Replace |
| Default Value | true | | Default Value | true |
| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- User-PFXCertInstall-{UniqueID}-PFXKeyExportable-DFProperties-End --> <!-- User-PFXCertInstall-{UniqueID}-PFXKeyExportable-DFProperties-End -->
<!-- User-PFXCertInstall-{UniqueID}-PFXKeyExportable-AllowedValues-Begin --> <!-- User-PFXCertInstall-{UniqueID}-PFXKeyExportable-AllowedValues-Begin -->

14
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: ClientCertificateInstall DDF file title: ClientCertificateInstall DDF file
description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider. description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -294,7 +294,7 @@ If the value is
<MSFT:DependencyBehavior> <MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="KeyLocationDependency"> <MSFT:DependencyGroup FriendlyId="KeyLocationDependency">
<MSFT:Dependency Type="DependsOn"> <MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri> <MSFT:DependencyUri>User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range"> <MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[3]</MSFT:Value> <MSFT:Value>[3]</MSFT:Value>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
@ -372,7 +372,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
<MSFT:DependencyBehavior> <MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EncryptionTypeDependency"> <MSFT:DependencyGroup FriendlyId="EncryptionTypeDependency">
<MSFT:Dependency Type="DependsOn"> <MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri> <MSFT:DependencyUri>User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range"> <MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[2]</MSFT:Value> <MSFT:Value>[2]</MSFT:Value>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
@ -1122,7 +1122,7 @@ Valid values are:
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -1377,7 +1377,7 @@ If the value is
<MSFT:DependencyBehavior> <MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="KeyLocationDependency"> <MSFT:DependencyGroup FriendlyId="KeyLocationDependency">
<MSFT:Dependency Type="DependsOn"> <MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri> <MSFT:DependencyUri>Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range"> <MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[3]</MSFT:Value> <MSFT:Value>[3]</MSFT:Value>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>
@ -1455,7 +1455,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
<MSFT:DependencyBehavior> <MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EncryptionTypeDependency"> <MSFT:DependencyGroup FriendlyId="EncryptionTypeDependency">
<MSFT:Dependency Type="DependsOn"> <MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri> <MSFT:DependencyUri>Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range"> <MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[2]</MSFT:Value> <MSFT:Value>[2]</MSFT:Value>
</MSFT:DependencyAllowedValue> </MSFT:DependencyAllowedValue>

8
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: CloudDesktop DDF file title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider. description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion> <MSFT:CspVersion>9.9</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -53,7 +53,7 @@ The following XML file contains the device description framework (DDF) for the C
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.</Description> <Description>This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Dedicated Mode (Cloud only): Dedicated mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -82,7 +82,7 @@ The following XML file contains the device description framework (DDF) for the C
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>2</MSFT:Value> <MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Enable Boot to Cloud Personal Mode (Cloud only)</MSFT:ValueDescription> <MSFT:ValueDescription>Enable Boot to Cloud Dedicated Mode (Cloud only)</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>

605
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: Defender CSP title: Defender CSP
description: Learn more about the Defender CSP. description: Learn more about the Defender CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -24,7 +24,20 @@ The following list shows the Defender configuration service provider nodes:
- [AllowNetworkProtectionDownLevel](#configurationallownetworkprotectiondownlevel) - [AllowNetworkProtectionDownLevel](#configurationallownetworkprotectiondownlevel)
- [AllowNetworkProtectionOnWinServer](#configurationallownetworkprotectiononwinserver) - [AllowNetworkProtectionOnWinServer](#configurationallownetworkprotectiononwinserver)
- [AllowSwitchToAsyncInspection](#configurationallowswitchtoasyncinspection) - [AllowSwitchToAsyncInspection](#configurationallowswitchtoasyncinspection)
- [ArchiveMaxDepth](#configurationarchivemaxdepth)
- [ArchiveMaxSize](#configurationarchivemaxsize)
- [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions) - [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
- [BehavioralNetworkBlocks](#configurationbehavioralnetworkblocks)
- [BruteForceProtection](#configurationbehavioralnetworkblocksbruteforceprotection)
- [BruteForceProtectionAggressiveness](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionaggressiveness)
- [BruteForceProtectionConfiguredState](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionconfiguredstate)
- [BruteForceProtectionExclusions](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionexclusions)
- [BruteForceProtectionMaxBlockTime](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionmaxblocktime)
- [RemoteEncryptionProtection](#configurationbehavioralnetworkblocksremoteencryptionprotection)
- [RemoteEncryptionProtectionAggressiveness](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionaggressiveness)
- [RemoteEncryptionProtectionConfiguredState](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionconfiguredstate)
- [RemoteEncryptionProtectionExclusions](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionexclusions)
- [RemoteEncryptionProtectionMaxBlockTime](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionmaxblocktime)
- [DataDuplicationDirectory](#configurationdataduplicationdirectory) - [DataDuplicationDirectory](#configurationdataduplicationdirectory)
- [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod) - [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
- [DataDuplicationMaximumQuota](#configurationdataduplicationmaximumquota) - [DataDuplicationMaximumQuota](#configurationdataduplicationmaximumquota)
@ -356,6 +369,88 @@ Control whether network protection can improve performance by switching from rea
<!-- Device-Configuration-AllowSwitchToAsyncInspection-End --> <!-- Device-Configuration-AllowSwitchToAsyncInspection-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Begin -->
### Configuration/ArchiveMaxDepth
<!-- Device-Configuration-ArchiveMaxDepth-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-ArchiveMaxDepth-Applicability-End -->
<!-- Device-Configuration-ArchiveMaxDepth-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxDepth
```
<!-- Device-Configuration-ArchiveMaxDepth-OmaUri-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Description-Begin -->
<!-- Description-Source-DDF -->
Specify the maximum folder depth to extract from archive files for scanning. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted up to the deepest folder for scanning.
<!-- Device-Configuration-ArchiveMaxDepth-Description-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxDepth-Editable-End -->
<!-- Device-Configuration-ArchiveMaxDepth-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-ArchiveMaxDepth-DFProperties-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxDepth-Examples-End -->
<!-- Device-Configuration-ArchiveMaxDepth-End -->
<!-- Device-Configuration-ArchiveMaxSize-Begin -->
### Configuration/ArchiveMaxSize
<!-- Device-Configuration-ArchiveMaxSize-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-ArchiveMaxSize-Applicability-End -->
<!-- Device-Configuration-ArchiveMaxSize-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxSize
```
<!-- Device-Configuration-ArchiveMaxSize-OmaUri-End -->
<!-- Device-Configuration-ArchiveMaxSize-Description-Begin -->
<!-- Description-Source-DDF -->
Specify the maximum size, in KB, of archive files to be extracted and scanned. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted and scanned regardless of size.
<!-- Device-Configuration-ArchiveMaxSize-Description-End -->
<!-- Device-Configuration-ArchiveMaxSize-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxSize-Editable-End -->
<!-- Device-Configuration-ArchiveMaxSize-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-ArchiveMaxSize-DFProperties-End -->
<!-- Device-Configuration-ArchiveMaxSize-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxSize-Examples-End -->
<!-- Device-Configuration-ArchiveMaxSize-End -->
<!-- Device-Configuration-ASROnlyPerRuleExclusions-Begin --> <!-- Device-Configuration-ASROnlyPerRuleExclusions-Begin -->
### Configuration/ASROnlyPerRuleExclusions ### Configuration/ASROnlyPerRuleExclusions
@ -395,6 +490,485 @@ Apply ASR only per rule exclusions.
<!-- Device-Configuration-ASROnlyPerRuleExclusions-End --> <!-- Device-Configuration-ASROnlyPerRuleExclusions-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Begin -->
### Configuration/BehavioralNetworkBlocks
<!-- Device-Configuration-BehavioralNetworkBlocks-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks
```
<!-- Device-Configuration-BehavioralNetworkBlocks-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-Configuration-BehavioralNetworkBlocks-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Begin -->
#### Configuration/BehavioralNetworkBlocks/BruteForceProtection
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Description-Begin -->
<!-- Description-Source-DDF -->
Set the criteria for when Brute-Force Protection blocks IP addresses.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Low: Only IP addresses that are 100% confidence malicious (default). |
| 1 | Medium: Use cloud aggregation to block IP addresses that are over 99% likely malicious. |
| 2 | High: Block IP addresses identified using client intelligence and context to block IP addresses that are over 90% likely malicious. |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Description-Begin -->
<!-- Description-Source-DDF -->
Brute-Force Protection in Microsoft Defender Antivirus detects and blocks attempts to forcibly sign in and initiate sessions.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured: Apply defaults set by the antivirus engine and platform. |
| 1 | Block: Prevent suspicious and malicious behaviors. |
| 2 | Audit: Generate EDR detections without blocking. |
| 4 | Off: Feature is disabled with no performance impact. |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Description-Begin -->
<!-- Description-Source-DDF -->
Specify IP addresses, subnets, or workstation names to exclude from being blocked by Brute-Force Protection. Note that attackers can spoof excluded addresses and names to bypass protection.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `|`) |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Description-Begin -->
<!-- Description-Source-DDF -->
Set the maximum time an IP address is blocked by Brute-Force Protection. After this time, blocked IP addresses will be able to sign-in and initiate sessions. If set to 0, internal feature logic will determine blocking time.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Begin -->
#### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Description-Begin -->
<!-- Description-Source-DDF -->
Set the criteria for when Remote Encryption Protection blocks IP addresses.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Low: Block only when confidence level is 100% (Default). |
| 1 | Medium: Use cloud aggregation and block when confidence level is above 99%. |
| 2 | High: Use cloud intel and context, and block when confidence level is above 90%. |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Description-Begin -->
<!-- Description-Source-DDF -->
Remote Encryption Protection in Microsoft Defender Antivirus detects and blocks attempts to replace local files with encrypted versions from another device.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured: Apply defaults set for the antivirus engine and platform. |
| 1 | Block: Prevent suspicious and malicious behaviors. |
| 2 | Audit: Generate EDR detections without blocking. |
| 4 | Off: Feature is off with no performance impact. |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Description-Begin -->
<!-- Description-Source-DDF -->
Specify IP addresses, subnets, or workstation names to exclude from being blocked by Remote Encryption Protection. Note that attackers can spoof excluded addresses and names to bypass protection.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `|`) |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Description-Begin -->
<!-- Description-Source-DDF -->
Set the maximum time an IP address is blocked by Remote Encryption Protection. After this time, blocked IP addresses will be able to reinitiate connections. If set to 0, internal feature logic will determine blocking time.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-End -->
<!-- Device-Configuration-DataDuplicationDirectory-Begin --> <!-- Device-Configuration-DataDuplicationDirectory-Begin -->
### Configuration/DataDuplicationDirectory ### Configuration/DataDuplicationDirectory
@ -533,7 +1107,7 @@ Defines the maximum data duplication quota in MB that can be collected. When the
<!-- Device-Configuration-DataDuplicationRemoteLocation-Description-Begin --> <!-- Device-Configuration-DataDuplicationRemoteLocation-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Define data duplication remote location for device control. Define data duplication remote location for Device Control. When configuring this setting, ensure that Device Control is Enabled and that the provided path is a remote path the user can access.
<!-- Device-Configuration-DataDuplicationRemoteLocation-Description-End --> <!-- Device-Configuration-DataDuplicationRemoteLocation-Description-End -->
<!-- Device-Configuration-DataDuplicationRemoteLocation-Editable-Begin --> <!-- Device-Configuration-DataDuplicationRemoteLocation-Editable-Begin -->
@ -1834,8 +2408,8 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 1 (Default) | DNS Sinkhole is disabled. | | 0 | DNS Sinkhole is disabled. |
| 0 | DNS Sinkhole is enabled. | | 1 (Default) | DNS Sinkhole is enabled. |
<!-- Device-Configuration-EnableDnsSinkhole-AllowedValues-End --> <!-- Device-Configuration-EnableDnsSinkhole-AllowedValues-End -->
<!-- Device-Configuration-EnableDnsSinkhole-Examples-Begin --> <!-- Device-Configuration-EnableDnsSinkhole-Examples-Begin -->
@ -2202,7 +2776,7 @@ Allow managed devices to update through metered connections. Default is 0 - not
<!-- Device-Configuration-NetworkProtectionReputationMode-Description-Begin --> <!-- Device-Configuration-NetworkProtectionReputationMode-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This sets the reputation mode for Network Protection. This sets the reputation mode engine for Network Protection.
<!-- Device-Configuration-NetworkProtectionReputationMode-Description-End --> <!-- Device-Configuration-NetworkProtectionReputationMode-Description-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Editable-Begin --> <!-- Device-Configuration-NetworkProtectionReputationMode-Editable-Begin -->
@ -2219,6 +2793,15 @@ This sets the reputation mode for Network Protection.
| Default Value | 0 | | Default Value | 0 |
<!-- Device-Configuration-NetworkProtectionReputationMode-DFProperties-End --> <!-- Device-Configuration-NetworkProtectionReputationMode-DFProperties-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Use standard reputation engine. |
| 1 | Use ESP reputation engine. |
<!-- Device-Configuration-NetworkProtectionReputationMode-AllowedValues-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Examples-Begin --> <!-- Device-Configuration-NetworkProtectionReputationMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Examples-End --> <!-- Device-Configuration-NetworkProtectionReputationMode-Examples-End -->
@ -2743,9 +3326,19 @@ Defines which device's primary ids should be secured by Defender Device Control.
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: `^RemovableMediaDevices|CdRomDevices|WpdDevices|PrinterDevices$` |
<!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-End --> <!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| RemovableMediaDevices | RemovableMediaDevices. |
| CdRomDevices | CdRomDevices. |
| WpdDevices | WpdDevices. |
| PrinterDevices | PrinterDevices. |
<!-- Device-Configuration-SecuredDevicesConfiguration-AllowedValues-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-Begin --> <!-- Device-Configuration-SecuredDevicesConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-End --> <!-- Device-Configuration-SecuredDevicesConfiguration-Examples-End -->

476
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
--- ---
title: Defender DDF file title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider. description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -1747,11 +1747,11 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>1</MSFT:Value> <MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>DNS Sinkhole is disabled</MSFT:ValueDescription> <MSFT:ValueDescription>DNS Sinkhole is disabled</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0</MSFT:Value> <MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>DNS Sinkhole is enabled</MSFT:ValueDescription> <MSFT:ValueDescription>DNS Sinkhole is enabled</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
@ -2464,7 +2464,7 @@ The following XML file contains the device description framework (DDF) for the D
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Define data duplication remote location for device control.</Description> <Description>Define data duplication remote location for Device Control. When configuring this setting, ensure that Device Control is Enabled and that the provided path is a remote path the user can access.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>
@ -2511,8 +2511,23 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion> <MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="RegEx"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Value>^RemovableMediaDevices|CdRomDevices|WpdDevices|PrinterDevices$</MSFT:Value> <MSFT:Enum>
<MSFT:Value>RemovableMediaDevices</MSFT:Value>
<MSFT:ValueDescription>RemovableMediaDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>CdRomDevices</MSFT:Value>
<MSFT:ValueDescription>CdRomDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>WpdDevices</MSFT:Value>
<MSFT:ValueDescription>WpdDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>PrinterDevices</MSFT:Value>
<MSFT:ValueDescription>PrinterDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:List Delimiter="|" /> <MSFT:List Delimiter="|" />
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -2837,7 +2852,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This sets the reputation mode for Network Protection.</Description> <Description>This sets the reputation mode engine for Network Protection.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -2854,6 +2869,16 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion> <MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Use standard reputation engine</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Use ESP reputation engine</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -2934,6 +2959,70 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>ArchiveMaxSize</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specify the maximum size, in KB, of archive files to be extracted and scanned. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted and scanned regardless of size.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ArchiveMaxDepth</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specify the maximum folder depth to extract from archive files for scanning. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted up to the deepest folder for scanning.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>ScanOnlyIfIdleEnabled</NodeName> <NodeName>ScanOnlyIfIdleEnabled</NodeName>
<DFProperties> <DFProperties>
@ -3012,6 +3101,377 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>BehavioralNetworkBlocks</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>RemoteEncryptionProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>RemoteEncryptionProtectionConfiguredState</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Remote Encryption Protection in Microsoft Defender Antivirus detects and blocks attempts to replace local files with encrypted versions from another device.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Not configured: Apply defaults set for the antivirus engine and platform</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block: Prevent suspicious and malicious behaviors</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Audit: Generate EDR detections without blocking</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Off: Feature is off with no performance impact</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RemoteEncryptionProtectionMaxBlockTime</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the maximum time an IP address is blocked by Remote Encryption Protection. After this time, blocked IP addresses will be able to reinitiate connections. If set to 0, internal feature logic will determine blocking time.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RemoteEncryptionProtectionAggressiveness</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the criteria for when Remote Encryption Protection blocks IP addresses.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Low: Block only when confidence level is 100% (Default)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Medium: Use cloud aggregation and block when confidence level is above 99%</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>High: Use cloud intel and context, and block when confidence level is above 90%</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RemoteEncryptionProtectionExclusions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specify IP addresses, subnets, or workstation names to exclude from being blocked by Remote Encryption Protection. Note that attackers can spoof excluded addresses and names to bypass protection.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:List Delimiter="|" />
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>BruteForceProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>BruteForceProtectionConfiguredState</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Brute-Force Protection in Microsoft Defender Antivirus detects and blocks attempts to forcibly sign in and initiate sessions.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Not configured: Apply defaults set by the antivirus engine and platform</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block: Prevent suspicious and malicious behaviors</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Audit: Generate EDR detections without blocking</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Off: Feature is disabled with no performance impact</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>BruteForceProtectionMaxBlockTime</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the maximum time an IP address is blocked by Brute-Force Protection. After this time, blocked IP addresses will be able to sign-in and initiate sessions. If set to 0, internal feature logic will determine blocking time.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>BruteForceProtectionAggressiveness</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the criteria for when Brute-Force Protection blocks IP addresses.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Low: Only IP addresses that are 100% confidence malicious (default)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Medium: Use cloud aggregation to block IP addresses that are over 99% likely malicious</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>High: Block IP addresses identified using client intelligence and context to block IP addresses that are over 90% likely malicious</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>BruteForceProtectionExclusions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specify IP addresses, subnets, or workstation names to exclude from being blocked by Brute-Force Protection. Note that attackers can spoof excluded addresses and names to bypass protection.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:List Delimiter="|" />
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</Node>
</Node> </Node>
<Node> <Node>
<NodeName>Scan</NodeName> <NodeName>Scan</NodeName>

132
windows/client-management/mdm/devicepreparation-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: DevicePreparation CSP title: DevicePreparation CSP
description: Learn more about the DevicePreparation CSP. description: Learn more about the DevicePreparation CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -26,6 +26,9 @@ The following list shows the DevicePreparation configuration service provider no
- [Progress](#mdmproviderprogress) - [Progress](#mdmproviderprogress)
- [RebootRequired](#mdmproviderrebootrequired) - [RebootRequired](#mdmproviderrebootrequired)
- [PageEnabled](#pageenabled) - [PageEnabled](#pageenabled)
- [PageErrorCode](#pageerrorcode)
- [PageErrorDetails](#pageerrordetails)
- [PageErrorPhase](#pageerrorphase)
- [PageSettings](#pagesettings) - [PageSettings](#pagesettings)
- [PageStatus](#pagestatus) - [PageStatus](#pagestatus)
<!-- DevicePreparation-Tree-End --> <!-- DevicePreparation-Tree-End -->
@ -306,6 +309,133 @@ This node determines whether to show the Device Preparation page during OOBE.
<!-- Device-PageEnabled-End --> <!-- Device-PageEnabled-End -->
<!-- Device-PageErrorCode-Begin -->
## PageErrorCode
<!-- Device-PageErrorCode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-PageErrorCode-Applicability-End -->
<!-- Device-PageErrorCode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/PageErrorCode
```
<!-- Device-PageErrorCode-OmaUri-End -->
<!-- Device-PageErrorCode-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides specific overall HRESULT causing a fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value isn't Unknown.
<!-- Device-PageErrorCode-Description-End -->
<!-- Device-PageErrorCode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-PageErrorCode-Editable-End -->
<!-- Device-PageErrorCode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get |
<!-- Device-PageErrorCode-DFProperties-End -->
<!-- Device-PageErrorCode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-PageErrorCode-Examples-End -->
<!-- Device-PageErrorCode-End -->
<!-- Device-PageErrorDetails-Begin -->
## PageErrorDetails
<!-- Device-PageErrorDetails-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-PageErrorDetails-Applicability-End -->
<!-- Device-PageErrorDetails-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/PageErrorDetails
```
<!-- Device-PageErrorDetails-OmaUri-End -->
<!-- Device-PageErrorDetails-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides optional details for any fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value isn't Unknown, but not all errors will have details.
<!-- Device-PageErrorDetails-Description-End -->
<!-- Device-PageErrorDetails-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-PageErrorDetails-Editable-End -->
<!-- Device-PageErrorDetails-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-PageErrorDetails-DFProperties-End -->
<!-- Device-PageErrorDetails-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-PageErrorDetails-Examples-End -->
<!-- Device-PageErrorDetails-End -->
<!-- Device-PageErrorPhase-Begin -->
## PageErrorPhase
<!-- Device-PageErrorPhase-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-PageErrorPhase-Applicability-End -->
<!-- Device-PageErrorPhase-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/PageErrorPhase
```
<!-- Device-PageErrorPhase-OmaUri-End -->
<!-- Device-PageErrorPhase-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides the specific phase that failed during the Device Preparation page. Values are an enum: 0 = Unknown; 1 = AgentDownload; 2 = AgentProgress.
<!-- Device-PageErrorPhase-Description-End -->
<!-- Device-PageErrorPhase-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-PageErrorPhase-Editable-End -->
<!-- Device-PageErrorPhase-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get |
<!-- Device-PageErrorPhase-DFProperties-End -->
<!-- Device-PageErrorPhase-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Unknown. |
| 1 | AgentDownload. |
| 2 | AgentProgress. |
<!-- Device-PageErrorPhase-AllowedValues-End -->
<!-- Device-PageErrorPhase-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-PageErrorPhase-Examples-End -->
<!-- Device-PageErrorPhase-End -->
<!-- Device-PageSettings-Begin --> <!-- Device-PageSettings-Begin -->
## PageSettings ## PageSettings

81
windows/client-management/mdm/devicepreparation-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: DevicePreparation DDF file title: DevicePreparation DDF file
description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider. description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -110,6 +110,83 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>PageErrorPhase</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node provides the specific phase that failed during the Device Preparation page. Values are an enum: 0 = Unknown; 1 = AgentDownload; 2 = AgentProgress.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Unknown</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>AgentDownload</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>AgentProgress</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PageErrorCode</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node provides specific overall HRESULT causing a fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value is not Unknown.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PageErrorDetails</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node provides optional details for any fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value is not Unknown, but not all errors will have details.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>PageSettings</NodeName> <NodeName>PageSettings</NodeName>
<DFProperties> <DFProperties>

4
windows/client-management/mdm/dmacc-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: DMAcc CSP title: DMAcc CSP
description: Learn more about the DMAcc CSP. description: Learn more about the DMAcc CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -709,7 +709,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Get, Replace | | Access Type | Add, Get, Replace |
| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel` <br> Dependency Allowed Value: `SRVCRED` <br> Dependency Allowed Value Type: `ENUM` <br> | | Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel` <br> Dependency Allowed Value: `SRVCRED` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-DFProperties-End --> <!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-DFProperties-End -->
<!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-AllowedValues-Begin --> <!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-AllowedValues-Begin -->

6
windows/client-management/mdm/dmacc-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: DMAcc DDF file title: DMAcc DDF file
description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider. description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -527,7 +527,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum> </MSFT:Enum>
</MSFT:DependencyChangedAllowedValues> </MSFT:DependencyChangedAllowedValues>
<MSFT:Dependency Type="DependsOn"> <MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel</MSFT:DependencyUri> <MSFT:DependencyUri>Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM"> <MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>SRVCRED</MSFT:Value> <MSFT:Value>SRVCRED</MSFT:Value>

44
windows/client-management/mdm/healthattestation-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: HealthAttestation CSP title: HealthAttestation CSP
description: Learn more about the HealthAttestation CSP. description: Learn more about the HealthAttestation CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- HealthAttestation-Begin --> <!-- HealthAttestation-Begin -->
# HealthAttestation CSP # HealthAttestation CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HealthAttestation-Editable-Begin --> <!-- HealthAttestation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
@ -25,6 +27,7 @@ The following list is a description of the functions performed by the Device Hea
The following list shows the HealthAttestation configuration service provider nodes: The following list shows the HealthAttestation configuration service provider nodes:
- ./Vendor/MSFT/HealthAttestation - ./Vendor/MSFT/HealthAttestation
- [AttestErrorMessage](#attesterrormessage)
- [AttestStatus](#atteststatus) - [AttestStatus](#atteststatus)
- [Certificate](#certificate) - [Certificate](#certificate)
- [CorrelationID](#correlationid) - [CorrelationID](#correlationid)
@ -42,6 +45,45 @@ The following list shows the HealthAttestation configuration service provider no
- [VerifyHealth](#verifyhealth) - [VerifyHealth](#verifyhealth)
<!-- HealthAttestation-Tree-End --> <!-- HealthAttestation-Tree-End -->
<!-- Device-AttestErrorMessage-Begin -->
## AttestErrorMessage
<!-- Device-AttestErrorMessage-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-AttestErrorMessage-Applicability-End -->
<!-- Device-AttestErrorMessage-OmaUri-Begin -->
```Device
./Vendor/MSFT/HealthAttestation/AttestErrorMessage
```
<!-- Device-AttestErrorMessage-OmaUri-End -->
<!-- Device-AttestErrorMessage-Description-Begin -->
<!-- Description-Source-DDF -->
AttestErrorMessage maintains the error message for the last attestation session, if returned by the attestation service.
<!-- Device-AttestErrorMessage-Description-End -->
<!-- Device-AttestErrorMessage-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-AttestErrorMessage-Editable-End -->
<!-- Device-AttestErrorMessage-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-AttestErrorMessage-DFProperties-End -->
<!-- Device-AttestErrorMessage-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-AttestErrorMessage-Examples-End -->
<!-- Device-AttestErrorMessage-End -->
<!-- Device-AttestStatus-Begin --> <!-- Device-AttestStatus-Begin -->
## AttestStatus ## AttestStatus

29
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -1,7 +1,7 @@
--- ---
title: HealthAttestation DDF file title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider. description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the H
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -416,6 +416,31 @@ The following XML file contains the device description framework (DDF) for the H
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>AttestErrorMessage</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>AttestErrorMessage maintains the error message for the last attestation session, if returned by the attestation service.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
</Node> </Node>
</MgmtTree> </MgmtTree>
``` ```

339
windows/client-management/mdm/laps-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: LAPS CSP title: LAPS CSP
description: Learn more about the LAPS CSP. description: Learn more about the LAPS CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -34,7 +34,13 @@ The following list shows the LAPS configuration service provider nodes:
- [AdministratorAccountName](#policiesadministratoraccountname) - [AdministratorAccountName](#policiesadministratoraccountname)
- [ADPasswordEncryptionEnabled](#policiesadpasswordencryptionenabled) - [ADPasswordEncryptionEnabled](#policiesadpasswordencryptionenabled)
- [ADPasswordEncryptionPrincipal](#policiesadpasswordencryptionprincipal) - [ADPasswordEncryptionPrincipal](#policiesadpasswordencryptionprincipal)
- [AutomaticAccountManagementEnableAccount](#policiesautomaticaccountmanagementenableaccount)
- [AutomaticAccountManagementEnabled](#policiesautomaticaccountmanagementenabled)
- [AutomaticAccountManagementNameOrPrefix](#policiesautomaticaccountmanagementnameorprefix)
- [AutomaticAccountManagementRandomizeName](#policiesautomaticaccountmanagementrandomizename)
- [AutomaticAccountManagementTarget](#policiesautomaticaccountmanagementtarget)
- [BackupDirectory](#policiesbackupdirectory) - [BackupDirectory](#policiesbackupdirectory)
- [PassphraseLength](#policiespassphraselength)
- [PasswordAgeDays](#policiespasswordagedays) - [PasswordAgeDays](#policiespasswordagedays)
- [PasswordComplexity](#policiespasswordcomplexity) - [PasswordComplexity](#policiespasswordcomplexity)
- [PasswordExpirationProtectionEnabled](#policiespasswordexpirationprotectionenabled) - [PasswordExpirationProtectionEnabled](#policiespasswordexpirationprotectionenabled)
@ -420,6 +426,275 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-ADPasswordEncryptionPrincipal-End --> <!-- Device-Policies-ADPasswordEncryptionPrincipal-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Begin -->
### Policies/AutomaticAccountManagementEnableAccount
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
```
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure whether the automatically managed account is enabled or disabled.
- If this setting is enabled, the target account will be enabled.
- If this setting is disabled, the target account will be disabled.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| False (Default) | The target account will be disabled. |
| True | The target account will be enabled. |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Begin -->
### Policies/AutomaticAccountManagementEnabled
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
```
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to specify whether automatic account management is enabled.
- If this setting is enabled, the target account will be automatically managed.
- If this setting is disabled, the target account won't be automatically managed.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnabled-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-Policies-AutomaticAccountManagementEnabled-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | The target account won't be automatically managed. |
| true | The target account will be automatically managed. |
<!-- Device-Policies-AutomaticAccountManagementEnabled-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Begin -->
### Policies/AutomaticAccountManagementNameOrPrefix
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
```
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure the name or prefix of the managed local administrator account.
If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Begin -->
### Policies/AutomaticAccountManagementRandomizeName
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
```
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
If this setting is enabled, the name of the target account will use a random numeric suffix.
If this setting is disbled, the name of the target account won't use a random numeric suffix.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| False (Default) | The name of the target account won't use a random numeric suffix. |
| True | The name of the target account will use a random numeric suffix. |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Begin -->
### Policies/AutomaticAccountManagementTarget
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
```
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure which account is automatically managed.
The allowable settings are:
0=The builtin administrator account will be managed.
1=A new account created by Windows LAPS will be managed.
If not specified, this setting will default to 1.
<!-- Device-Policies-AutomaticAccountManagementTarget-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementTarget-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Manage the built-in administrator account. |
| 1 (Default) | Manage a new custom administrator account. |
<!-- Device-Policies-AutomaticAccountManagementTarget-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-End -->
<!-- Device-Policies-BackupDirectory-Begin --> <!-- Device-Policies-BackupDirectory-Begin -->
### Policies/BackupDirectory ### Policies/BackupDirectory
@ -478,6 +753,54 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-BackupDirectory-End --> <!-- Device-Policies-BackupDirectory-End -->
<!-- Device-Policies-PassphraseLength-Begin -->
### Policies/PassphraseLength
<!-- Device-Policies-PassphraseLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-PassphraseLength-Applicability-End -->
<!-- Device-Policies-PassphraseLength-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/PassphraseLength
```
<!-- Device-Policies-PassphraseLength-OmaUri-End -->
<!-- Device-Policies-PassphraseLength-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure the number of passphrase words.
If not specified, this setting will default to 6 words.
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.
<!-- Device-Policies-PassphraseLength-Description-End -->
<!-- Device-Policies-PassphraseLength-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-PassphraseLength-Editable-End -->
<!-- Device-Policies-PassphraseLength-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[3-10]` |
| Default Value | 6 |
| Dependency [PasswordComplexity] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity` <br> Dependency Allowed Value: `[6-8]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-Policies-PassphraseLength-DFProperties-End -->
<!-- Device-Policies-PassphraseLength-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-PassphraseLength-Examples-End -->
<!-- Device-Policies-PassphraseLength-End -->
<!-- Device-Policies-PasswordAgeDays-Begin --> <!-- Device-Policies-PasswordAgeDays-Begin -->
### Policies/PasswordAgeDays ### Policies/PasswordAgeDays
@ -550,9 +873,15 @@ The allowable settings are:
1=Large letters 1=Large letters
2=Large letters + small letters 2=Large letters + small letters
3=Large letters + small letters + numbers 3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters. 4=Large letters + small letters + numbers + special characters
5=Large letters + small letters + numbers + special characters (improved readability)
6=Passphrase (long words)
7=Passphrase (short words)
8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4. If not specified, this setting will default to 4.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See <https://go.microsoft.com/fwlink/?linkid=2255471> for more information.
<!-- Device-Policies-PasswordComplexity-Description-End --> <!-- Device-Policies-PasswordComplexity-Description-End -->
<!-- Device-Policies-PasswordComplexity-Editable-Begin --> <!-- Device-Policies-PasswordComplexity-Editable-Begin -->
@ -580,6 +909,10 @@ If not specified, this setting will default to 4.
| 2 | Large letters + small letters. | | 2 | Large letters + small letters. |
| 3 | Large letters + small letters + numbers. | | 3 | Large letters + small letters + numbers. |
| 4 (Default) | Large letters + small letters + numbers + special characters. | | 4 (Default) | Large letters + small letters + numbers + special characters. |
| 5 | Large letters + small letters + numbers + special characters (improved readability). |
| 6 | Passphrase (long words). |
| 7 | Passphrase (short words). |
| 8 | Passphrase (short words with unique prefixes). |
<!-- Device-Policies-PasswordComplexity-AllowedValues-End --> <!-- Device-Policies-PasswordComplexity-AllowedValues-End -->
<!-- Device-Policies-PasswordComplexity-Examples-Begin --> <!-- Device-Policies-PasswordComplexity-Examples-Begin -->
@ -683,6 +1016,7 @@ This setting has a maximum allowed value of 64 characters.
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[8-64]` | | Allowed Values | Range: `[8-64]` |
| Default Value | 14 | | Default Value | 14 |
| Dependency [PasswordComplexity] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity` <br> Dependency Allowed Value: `[1-5]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-Policies-PasswordLength-DFProperties-End --> <!-- Device-Policies-PasswordLength-DFProperties-End -->
<!-- Device-Policies-PasswordLength-Examples-Begin --> <!-- Device-Policies-PasswordLength-Examples-Begin -->
@ -740,6 +1074,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. | | 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. | | 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. | | 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
| 11 | Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. |
<!-- Device-Policies-PostAuthenticationActions-AllowedValues-End --> <!-- Device-Policies-PostAuthenticationActions-AllowedValues-End -->
<!-- Device-Policies-PostAuthenticationActions-Examples-Begin --> <!-- Device-Policies-PostAuthenticationActions-Examples-Begin -->

359
windows/client-management/mdm/laps-ddf-file.md
View File

@ -1,7 +1,7 @@
--- ---
title: LAPS DDF file title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider. description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -194,8 +194,14 @@ The allowable settings are:
2=Large letters + small letters 2=Large letters + small letters
3=Large letters + small letters + numbers 3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters 4=Large letters + small letters + numbers + special characters
5=Large letters + small letters + numbers + special characters (improved readability)
6=Passphrase (long words)
7=Passphrase (short words)
8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4.</Description> If not specified, this setting will default to 4.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See https://go.microsoft.com/fwlink/?linkid=2255471 for more information.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -225,6 +231,22 @@ If not specified, this setting will default to 4.</Description>
<MSFT:Value>4</MSFT:Value> <MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers + special characters</MSFT:ValueDescription> <MSFT:ValueDescription>Large letters + small letters + numbers + special characters</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers + special characters (improved readability)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>6</MSFT:Value>
<MSFT:ValueDescription>Passphrase (long words)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>7</MSFT:Value>
<MSFT:ValueDescription>Passphrase (short words)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>8</MSFT:Value>
<MSFT:ValueDescription>Passphrase (short words with unique prefixes)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
@ -260,6 +282,70 @@ This setting has a maximum allowed value of 64 characters.</Description>
<MSFT:AllowedValues ValueType="Range"> <MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[8-64]</MSFT:Value> <MSFT:Value>[8-64]</MSFT:Value>
</MSFT:AllowedValues> </MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="PasswordComplexity">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/PasswordComplexity</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Enum>
<MSFT:Value>[1-5]</MSFT:Value>
<MSFT:ValueDescription>PasswordComplexity configured to generate a password</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>PassphraseLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>6</DefaultValue>
<Description>Use this setting to configure the number of passphrase words.
If not specified, this setting will default to 6 words
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[3-10]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="PasswordComplexity">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/PasswordComplexity</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Enum>
<MSFT:Value>[6-8]</MSFT:Value>
<MSFT:ValueDescription>PasswordComplexity configured to generate a passphrase</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -567,9 +653,278 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<MSFT:Value>5</MSFT:Value> <MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</MSFT:ValueDescription> <MSFT:ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>11</MSFT:Value>
<MSFT:ValueDescription>Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>AutomaticAccountManagementEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to specify whether automatic account management is enabled.
If this setting is enabled, the target account will be automatically managed.
If this setting is disabled, the target account will not be automatically managed.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>The target account will not be automatically managed</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>The target account will be automatically managed</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementTarget</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Use this setting to configure which account is automatically managed.
The allowable settings are:
0=The builtin administrator account will be managed.
1=A new account created by Windows LAPS will be managed.
If not specified, this setting will default to 1.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Manage the built-in administrator account</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Manage a new custom administrator account</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementNameOrPrefix</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Use this setting to configure the name or prefix of the managed local administrator account.
If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementEnableAccount</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the automatically managed account is enabled or disabled.
If this setting is enabled, the target account will be enabled.
If this setting is disabled, the target account will be disabled.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>False</MSFT:Value>
<MSFT:ValueDescription>The target account will be disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>True</MSFT:Value>
<MSFT:ValueDescription>The target account will be enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementRandomizeName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
If this setting is enabled, the name of the target account will use a random numeric suffix.
If this setting is disbled, the name of the target account will not use a random numeric suffix..
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>False</MSFT:Value>
<MSFT:ValueDescription>The name of the target account will not use a random numeric suffix.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>True</MSFT:Value>
<MSFT:ValueDescription>The name of the target account will use a random numeric suffix.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node> </Node>
<Node> <Node>
<NodeName>Actions</NodeName> <NodeName>Actions</NodeName>

4
windows/client-management/mdm/personalization-csp.md
View File

@ -1,7 +1,7 @@
--- ---
title: Personalization CSP title: Personalization CSP
description: Learn more about the Personalization CSP. description: Learn more about the Personalization CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -127,7 +127,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and
<!-- Device-CompanyName-Description-Begin --> <!-- Device-CompanyName-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only. This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen.
<!-- Device-CompanyName-Description-End --> <!-- Device-CompanyName-Description-End -->
<!-- Device-CompanyName-Editable-Begin --> <!-- Device-CompanyName-Editable-Begin -->

6
windows/client-management/mdm/personalization-ddf.md
View File

@ -1,7 +1,7 @@
--- ---
title: Personalization DDF file title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider. description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList> <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
@ -203,7 +203,7 @@ The following XML file contains the device description framework (DDF) for the P
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.</Description> <Description>This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen.</Description>
<DFFormat> <DFFormat>
<chr /> <chr />
</DFFormat> </DFFormat>

9
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1,7 +1,7 @@
--- ---
title: ADMX-backed policies in Policy CSP title: ADMX-backed policies in Policy CSP
description: Learn about the ADMX-backed policies in Policy CSP. description: Learn about the ADMX-backed policies in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -539,6 +539,8 @@ This article lists the ADMX-backed policies in Policy CSP.
- [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md) - [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md)
- [RestrictRunFromHelp_Comp](policy-csp-admx-help.md) - [RestrictRunFromHelp_Comp](policy-csp-admx-help.md)
- [DisableHHDEP](policy-csp-admx-help.md) - [DisableHHDEP](policy-csp-admx-help.md)
- [AllowChildProcesses](policy-csp-admx-help.md)
- [HideChildProcessMessageBox](policy-csp-admx-help.md)
## ADMX_HelpAndSupport ## ADMX_HelpAndSupport
@ -2515,6 +2517,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md) - [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md)
- [ConfigureIppPageCountsPolicy](policy-csp-printers.md) - [ConfigureIppPageCountsPolicy](policy-csp-printers.md)
- [ConfigureRedirectionGuardPolicy](policy-csp-printers.md) - [ConfigureRedirectionGuardPolicy](policy-csp-printers.md)
- [ConfigureWindowsProtectedPrint](policy-csp-printers.md)
## RemoteAssistance ## RemoteAssistance
@ -2587,6 +2590,10 @@ This article lists the ADMX-backed policies in Policy CSP.
- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md) - [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md)
- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md) - [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md)
## Sudo
- [EnableSudo](policy-csp-sudo.md)
## System ## System
- [BootStartDriverInitialization](policy-csp-system.md) - [BootStartDriverInitialization](policy-csp-system.md)

13
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -1,7 +1,7 @@
--- ---
title: Policies in Policy CSP supported by Group Policy title: Policies in Policy CSP supported by Group Policy
description: Learn about the policies in Policy CSP supported by Group Policy. description: Learn about the policies in Policy CSP supported by Group Policy.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -281,6 +281,9 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [PasswordComplexity](policy-csp-devicelock.md) - [PasswordComplexity](policy-csp-devicelock.md)
- [PasswordHistorySize](policy-csp-devicelock.md) - [PasswordHistorySize](policy-csp-devicelock.md)
- [AllowAdministratorLockout](policy-csp-devicelock.md) - [AllowAdministratorLockout](policy-csp-devicelock.md)
- [MinimumPasswordLength](policy-csp-devicelock.md)
- [MinimumPasswordLengthAudit](policy-csp-devicelock.md)
- [RelaxMinimumPasswordLengthLimits](policy-csp-devicelock.md)
## Display ## Display
@ -383,14 +386,11 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md) - [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md)
- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md) - [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md)
- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md) - [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md)
- [MinimumPasswordLength](policy-csp-localpoliciessecurityoptions.md)
- [MinimumPasswordLengthAudit](policy-csp-localpoliciessecurityoptions.md)
- [RelaxMinimumPasswordLengthLimits](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MachineAccountThreshold](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_MachineAccountLockoutThreshold](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) - [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
@ -425,10 +425,12 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md) - [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
@ -865,6 +867,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## WindowsAI ## WindowsAI
- [TurnOffWindowsCopilot](policy-csp-windowsai.md) - [TurnOffWindowsCopilot](policy-csp-windowsai.md)
- [DisableAIDataAnalysis](policy-csp-windowsai.md)
## WindowsDefenderSecurityCenter ## WindowsDefenderSecurityCenter

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1,7 +1,7 @@
--- ---
title: Policy CSP title: Policy CSP
description: Learn more about the Policy CSP. description: Learn more about the Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -1155,6 +1155,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [Start](policy-csp-start.md) - [Start](policy-csp-start.md)
- [Stickers](policy-csp-stickers.md) - [Stickers](policy-csp-stickers.md)
- [Storage](policy-csp-storage.md) - [Storage](policy-csp-storage.md)
- [Sudo](policy-csp-sudo.md)
- [System](policy-csp-system.md) - [System](policy-csp-system.md)
- [SystemServices](policy-csp-systemservices.md) - [SystemServices](policy-csp-systemservices.md)
- [TaskManager](policy-csp-taskmanager.md) - [TaskManager](policy-csp-taskmanager.md)

104
windows/client-management/mdm/policy-csp-admx-help.md
View File

@ -1,7 +1,7 @@
--- ---
title: ADMX_Help Policy CSP title: ADMX_Help Policy CSP
description: Learn more about the ADMX_Help Area in Policy CSP. description: Learn more about the ADMX_Help Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -11,10 +11,62 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- ADMX_Help-Editable-Begin --> <!-- ADMX_Help-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_Help-Editable-End --> <!-- ADMX_Help-Editable-End -->
<!-- AllowChildProcesses-Begin -->
## AllowChildProcesses
<!-- AllowChildProcesses-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowChildProcesses-Applicability-End -->
<!-- AllowChildProcesses-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Help/AllowChildProcesses
```
<!-- AllowChildProcesses-OmaUri-End -->
<!-- AllowChildProcesses-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- AllowChildProcesses-Description-End -->
<!-- AllowChildProcesses-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowChildProcesses-Editable-End -->
<!-- AllowChildProcesses-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowChildProcesses-DFProperties-End -->
<!-- AllowChildProcesses-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | AllowChildProcesses |
| ADMX File Name | Help.admx |
<!-- AllowChildProcesses-AdmxBacked-End -->
<!-- AllowChildProcesses-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowChildProcesses-Examples-End -->
<!-- AllowChildProcesses-End -->
<!-- DisableHHDEP-Begin --> <!-- DisableHHDEP-Begin -->
## DisableHHDEP ## DisableHHDEP
@ -148,6 +200,56 @@ For additional options, see the "Restrict these programs from being launched fro
<!-- HelpQualifiedRootDir_Comp-End --> <!-- HelpQualifiedRootDir_Comp-End -->
<!-- HideChildProcessMessageBox-Begin -->
## HideChildProcessMessageBox
<!-- HideChildProcessMessageBox-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- HideChildProcessMessageBox-Applicability-End -->
<!-- HideChildProcessMessageBox-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Help/HideChildProcessMessageBox
```
<!-- HideChildProcessMessageBox-OmaUri-End -->
<!-- HideChildProcessMessageBox-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- HideChildProcessMessageBox-Description-End -->
<!-- HideChildProcessMessageBox-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HideChildProcessMessageBox-Editable-End -->
<!-- HideChildProcessMessageBox-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- HideChildProcessMessageBox-DFProperties-End -->
<!-- HideChildProcessMessageBox-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | HideChildProcessMessageBox |
| ADMX File Name | Help.admx |
<!-- HideChildProcessMessageBox-AdmxBacked-End -->
<!-- HideChildProcessMessageBox-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- HideChildProcessMessageBox-Examples-End -->
<!-- HideChildProcessMessageBox-End -->
<!-- RestrictRunFromHelp-Begin --> <!-- RestrictRunFromHelp-Begin -->
## RestrictRunFromHelp ## RestrictRunFromHelp

165
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -1,7 +1,7 @@
--- ---
title: DeviceLock Policy CSP title: DeviceLock Policy CSP
description: Learn more about the DeviceLock Area in Policy CSP. description: Learn more about the DeviceLock Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -711,7 +711,7 @@ This security setting determines the period of time (in days) that a password ca
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-999]` | | Allowed Values | Range: `[0-999]` |
| Default Value | 1 | | Default Value | 42 |
<!-- MaximumPasswordAge-DFProperties-End --> <!-- MaximumPasswordAge-DFProperties-End -->
<!-- MaximumPasswordAge-GpMapping-Begin --> <!-- MaximumPasswordAge-GpMapping-Begin -->
@ -1016,6 +1016,109 @@ This security setting determines the period of time (in days) that a password mu
<!-- MinimumPasswordAge-End --> <!-- MinimumPasswordAge-End -->
<!-- MinimumPasswordLength-Begin -->
## MinimumPasswordLength
<!-- MinimumPasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLength-Applicability-End -->
<!-- MinimumPasswordLength-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLength
```
<!-- MinimumPasswordLength-OmaUri-End -->
<!-- MinimumPasswordLength-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting depends on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting isn't defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
> [!NOTE]
> By default, member computers follow the configuration of their domain controllers. Default values: 7 on domain controllers 0 on stand-alone servers Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.
<!-- MinimumPasswordLength-Description-End -->
<!-- MinimumPasswordLength-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Editable-End -->
<!-- MinimumPasswordLength-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-128]` |
| Default Value | 0 |
<!-- MinimumPasswordLength-DFProperties-End -->
<!-- MinimumPasswordLength-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLength-GpMapping-End -->
<!-- MinimumPasswordLength-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Examples-End -->
<!-- MinimumPasswordLength-End -->
<!-- MinimumPasswordLengthAudit-Begin -->
## MinimumPasswordLengthAudit
<!-- MinimumPasswordLengthAudit-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLengthAudit-Applicability-End -->
<!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLengthAudit
```
<!-- MinimumPasswordLengthAudit-OmaUri-End -->
<!-- MinimumPasswordLengthAudit-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128. You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment. If this setting isn't defined, audit events won't be issued. If this setting is defined and is less than or equal to the minimum password length setting, audit events won't be issued. If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.
<!-- MinimumPasswordLengthAudit-Description-End -->
<!-- MinimumPasswordLengthAudit-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Editable-End -->
<!-- MinimumPasswordLengthAudit-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-128]` |
| Default Value | 4294967295 |
<!-- MinimumPasswordLengthAudit-DFProperties-End -->
<!-- MinimumPasswordLengthAudit-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length audit |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLengthAudit-GpMapping-End -->
<!-- MinimumPasswordLengthAudit-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Examples-End -->
<!-- MinimumPasswordLengthAudit-End -->
<!-- PasswordComplexity-Begin --> <!-- PasswordComplexity-Begin -->
## PasswordComplexity ## PasswordComplexity
@ -1248,6 +1351,64 @@ If you enable this setting, users will no longer be able to modify slide show se
<!-- PreventLockScreenSlideShow-End --> <!-- PreventLockScreenSlideShow-End -->
<!-- RelaxMinimumPasswordLengthLimits-Begin -->
## RelaxMinimumPasswordLengthLimits
<!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/RelaxMinimumPasswordLengthLimits
```
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-End -->
<!-- RelaxMinimumPasswordLengthLimits-Description-Begin -->
<!-- Description-Source-DDF -->
This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14. If this setting isn't defined, minimum password length may be configured to no more than 14. If this setting is defined and disabled, minimum password length may be configured to no more than 14. If this setting is defined and enabled, minimum password length may be configured more than 14.
<!-- RelaxMinimumPasswordLengthLimits-Description-End -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-End -->
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-End -->
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-End -->
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Relax minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-End -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-End -->
<!-- RelaxMinimumPasswordLengthLimits-End -->
<!-- ScreenTimeoutWhileLocked-Begin --> <!-- ScreenTimeoutWhileLocked-Begin -->
## ScreenTimeoutWhileLocked ## ScreenTimeoutWhileLocked

10
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -1,7 +1,7 @@
--- ---
title: Kerberos Policy CSP title: Kerberos Policy CSP
description: Learn more about the Kerberos Area in Policy CSP. description: Learn more about the Kerberos Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -316,7 +316,7 @@ If you don't configure this policy, the SHA1 algorithm will assume the **Default
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 1 | | Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA1-DFProperties-End --> <!-- PKInitHashAlgorithmSHA1-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA1-AllowedValues-Begin --> <!-- PKInitHashAlgorithmSHA1-AllowedValues-Begin -->
@ -389,7 +389,7 @@ If you don't configure this policy, the SHA256 algorithm will assume the **Defau
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 1 | | Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA256-DFProperties-End --> <!-- PKInitHashAlgorithmSHA256-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA256-AllowedValues-Begin --> <!-- PKInitHashAlgorithmSHA256-AllowedValues-Begin -->
@ -462,7 +462,7 @@ If you don't configure this policy, the SHA384 algorithm will assume the **Defau
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 1 | | Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA384-DFProperties-End --> <!-- PKInitHashAlgorithmSHA384-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA384-AllowedValues-Begin --> <!-- PKInitHashAlgorithmSHA384-AllowedValues-Begin -->
@ -535,7 +535,7 @@ If you don't configure this policy, the SHA512 algorithm will assume the **Defau
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 1 | | Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> | | Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA512-DFProperties-End --> <!-- PKInitHashAlgorithmSHA512-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA512-AllowedValues-Begin --> <!-- PKInitHashAlgorithmSHA512-AllowedValues-Begin -->

392
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -1,7 +1,7 @@
--- ---
title: LocalPoliciesSecurityOptions Policy CSP title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP. description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -366,7 +366,7 @@ Accounts: Rename guest account This security setting determines whether a differ
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin --> <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End --> <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin --> <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
@ -395,6 +395,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
| Format | `b64` | | Format | `b64` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ``) | | Allowed Values | List (Delimiter: ``) |
| Default Value | 00 |
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-End --> <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-Begin --> <!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-Begin -->
@ -409,7 +410,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin --> <!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End --> <!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin --> <!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
@ -450,7 +451,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin --> <!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End --> <!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin --> <!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
@ -715,7 +716,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin --> <!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End --> <!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin --> <!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
@ -764,7 +765,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin --> <!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End --> <!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin --> <!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
@ -817,7 +818,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin --> <!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End --> <!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin --> <!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -873,7 +874,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin --> <!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End --> <!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin --> <!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -923,7 +924,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin --> <!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End --> <!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin --> <!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
@ -980,7 +981,7 @@ Domain member: Disable machine account password changes Determines whether a dom
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin --> <!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End --> <!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin --> <!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
@ -1033,7 +1034,7 @@ Domain member: Maximum machine account password age This security setting determ
<!-- DomainMember_RequireStrongSessionKey-Applicability-Begin --> <!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_RequireStrongSessionKey-Applicability-End --> <!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
<!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin --> <!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
@ -1318,31 +1319,31 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
<!-- InteractiveLogon_DoNotRequireCTRLALTDEL-End --> <!-- InteractiveLogon_DoNotRequireCTRLALTDEL-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Begin -->
## InteractiveLogon_MachineAccountThreshold ## InteractiveLogon_MachineAccountLockoutThreshold
<!-- InteractiveLogon_MachineAccountThreshold-Applicability-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- InteractiveLogon_MachineAccountThreshold-Applicability-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-End -->
<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-Begin -->
```Device ```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountThreshold ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountLockoutThreshold
``` ```
<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Description-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0. Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0.
<!-- InteractiveLogon_MachineAccountThreshold-Description-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Description-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Editable-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- InteractiveLogon_MachineAccountThreshold-Editable-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Editable-End -->
<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-DFProperties-Begin -->
**Description framework properties**: **Description framework properties**:
| Property name | Property value | | Property name | Property value |
@ -1351,22 +1352,22 @@ Interactive logon: Machine account threshold. The machine lockout policy is enfo
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-999]` | | Allowed Values | Range: `[0-999]` |
| Default Value | 0 | | Default Value | 0 |
<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-DFProperties-End -->
<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-GpMapping-Begin -->
**Group policy mapping**: **Group policy mapping**:
| Name | Value | | Name | Value |
|:--|:--| |:--|:--|
| Name | Interactive logon: Machine account lockout threshold | | Name | Interactive logon: Machine account lockout threshold |
| Path | Windows Settings > Security Settings > Local Policies > Security Options | | Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-GpMapping-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Examples-Begin --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- InteractiveLogon_MachineAccountThreshold-Examples-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-Examples-End -->
<!-- InteractiveLogon_MachineAccountThreshold-End --> <!-- InteractiveLogon_MachineAccountLockoutThreshold-End -->
<!-- InteractiveLogon_MachineInactivityLimit-Begin --> <!-- InteractiveLogon_MachineInactivityLimit-Begin -->
## InteractiveLogon_MachineInactivityLimit ## InteractiveLogon_MachineInactivityLimit
@ -1524,7 +1525,7 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin --> <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End --> <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin --> <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@ -1564,7 +1565,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin --> <!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End --> <!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin --> <!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
@ -1859,7 +1860,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin --> <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End --> <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin --> <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
@ -1884,8 +1885,8 @@ Microsoft network server: Amount of idle time required before suspending a sessi
|:--|:--| |:--|:--|
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-15]` | | Allowed Values | Range: `[0-99999]` |
| Default Value | 15 | | Default Value | 99999 |
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-DFProperties-End --> <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-DFProperties-End -->
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-GpMapping-Begin --> <!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-GpMapping-Begin -->
@ -2042,7 +2043,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin --> <!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End --> <!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin --> <!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
@ -2083,7 +2084,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin --> <!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End --> <!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin --> <!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
@ -2118,109 +2119,6 @@ Microsoft network server: Server SPN target name validation level This policy se
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-End --> <!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-End -->
<!-- MinimumPasswordLength-Begin -->
## MinimumPasswordLength
<!-- MinimumPasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLength-Applicability-End -->
<!-- MinimumPasswordLength-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MinimumPasswordLength
```
<!-- MinimumPasswordLength-OmaUri-End -->
<!-- MinimumPasswordLength-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting depends on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting isn't defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
> [!NOTE]
> By default, member computers follow the configuration of their domain controllers. Default values: 7 on domain controllers 0 on stand-alone servers Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.
<!-- MinimumPasswordLength-Description-End -->
<!-- MinimumPasswordLength-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Editable-End -->
<!-- MinimumPasswordLength-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-128]` |
| Default Value | 0 |
<!-- MinimumPasswordLength-DFProperties-End -->
<!-- MinimumPasswordLength-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLength-GpMapping-End -->
<!-- MinimumPasswordLength-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Examples-End -->
<!-- MinimumPasswordLength-End -->
<!-- MinimumPasswordLengthAudit-Begin -->
## MinimumPasswordLengthAudit
<!-- MinimumPasswordLengthAudit-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLengthAudit-Applicability-End -->
<!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MinimumPasswordLengthAudit
```
<!-- MinimumPasswordLengthAudit-OmaUri-End -->
<!-- MinimumPasswordLengthAudit-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128. You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment. If this setting isn't defined, audit events won't be issued. If this setting is defined and is less than or equal to the minimum password length setting, audit events won't be issued. If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.
<!-- MinimumPasswordLengthAudit-Description-End -->
<!-- MinimumPasswordLengthAudit-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Editable-End -->
<!-- MinimumPasswordLengthAudit-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-128]` |
| Default Value | 4294967295 |
<!-- MinimumPasswordLengthAudit-DFProperties-End -->
<!-- MinimumPasswordLengthAudit-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length audit |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLengthAudit-GpMapping-End -->
<!-- MinimumPasswordLengthAudit-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Examples-End -->
<!-- MinimumPasswordLengthAudit-End -->
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Begin --> <!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Begin -->
## NetworkAccess_AllowAnonymousSIDOrNameTranslation ## NetworkAccess_AllowAnonymousSIDOrNameTranslation
@ -2408,7 +2306,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin --> <!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End --> <!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin --> <!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
@ -2456,7 +2354,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin --> <!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End --> <!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin --> <!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
@ -2506,7 +2404,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin --> <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End --> <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin --> <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2531,6 +2429,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-DFProperties-End --> <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-DFProperties-End -->
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Examples-Begin --> <!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Examples-Begin -->
@ -2545,7 +2444,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin --> <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End --> <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin --> <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
@ -2573,6 +2472,7 @@ Network access: Remotely accessible registry paths This security setting determi
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-DFProperties-End --> <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-DFProperties-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Examples-Begin --> <!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Examples-Begin -->
@ -2587,7 +2487,7 @@ Network access: Remotely accessible registry paths This security setting determi
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin --> <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End --> <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin --> <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
@ -2615,6 +2515,7 @@ Network access: Remotely accessible registry paths and subpaths This security se
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-DFProperties-End --> <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-DFProperties-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Examples-Begin --> <!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Examples-Begin -->
@ -2735,7 +2636,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin --> <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End --> <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin --> <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2760,6 +2661,7 @@ Network access: Shares that can be accessed anonymously This security setting de
|:--|:--| |:--|:--|
| Format | `chr` (string) | | Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-DFProperties-End --> <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-DFProperties-End -->
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Examples-Begin --> <!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Examples-Begin -->
@ -2774,7 +2676,7 @@ Network access: Shares that can be accessed anonymously This security setting de
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin --> <!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End --> <!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin --> <!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
@ -2818,7 +2720,7 @@ Network access: Sharing and security model for local accounts This security sett
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin --> <!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End --> <!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin --> <!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
@ -3076,7 +2978,7 @@ Network security: Force logoff when logon hours expire This security setting det
|:--|:--| |:--|:--|
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Default Value | 0 | | Default Value | 1 |
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-DFProperties-End --> <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-DFProperties-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-AllowedValues-Begin --> <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-AllowedValues-Begin -->
@ -3084,8 +2986,8 @@ Network security: Force logoff when logon hours expire This security setting det
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 1 | Enable. | | 1 (Default) | Enable. |
| 0 (Default) | Disable. | | 0 | Disable. |
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-AllowedValues-End --> <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-AllowedValues-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-GpMapping-Begin --> <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-GpMapping-Begin -->
@ -3174,7 +3076,7 @@ Network security LAN Manager authentication level This security setting determin
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin --> <!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End --> <!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin --> <!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
@ -3206,7 +3108,7 @@ Network security: LDAP client signing requirements This security setting determi
| Format | `int` | | Format | `int` |
| Access Type | Add, Delete, Get, Replace | | Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-2]` | | Allowed Values | Range: `[0-2]` |
| Default Value | 0 | | Default Value | 1 |
<!-- NetworkSecurity_LDAPClientSigningRequirements-DFProperties-End --> <!-- NetworkSecurity_LDAPClientSigningRequirements-DFProperties-End -->
<!-- NetworkSecurity_LDAPClientSigningRequirements-Examples-Begin --> <!-- NetworkSecurity_LDAPClientSigningRequirements-Examples-Begin -->
@ -3580,7 +3482,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin --> <!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End --> <!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin --> <!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
@ -3630,7 +3532,7 @@ Recovery console: Allow automatic administrative logon This security setting det
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin --> <!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End --> <!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin --> <!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
@ -3665,64 +3567,6 @@ Recovery console: Allow floppy copy and access to all drives and all folders Ena
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-End --> <!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-End -->
<!-- RelaxMinimumPasswordLengthLimits-Begin -->
## RelaxMinimumPasswordLengthLimits
<!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RelaxMinimumPasswordLengthLimits
```
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-End -->
<!-- RelaxMinimumPasswordLengthLimits-Description-Begin -->
<!-- Description-Source-DDF -->
This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14. If this setting isn't defined, minimum password length may be configured to no more than 14. If this setting is defined and disabled, minimum password length may be configured to no more than 14. If this setting is defined and enabled, minimum password length may be configured more than 14.
<!-- RelaxMinimumPasswordLengthLimits-Description-End -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-End -->
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-End -->
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-End -->
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Relax minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-End -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-End -->
<!-- RelaxMinimumPasswordLengthLimits-End -->
<!-- Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn-Begin --> <!-- Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn-Begin -->
## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn ## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@ -3845,7 +3689,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin --> <!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End --> <!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin --> <!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
@ -3886,7 +3730,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin --> <!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End --> <!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin --> <!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
@ -3936,7 +3780,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin --> <!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End --> <!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin --> <!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->
@ -4094,6 +3938,64 @@ User Account Control: Behavior of the elevation prompt for administrators in Adm
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-End --> <!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Applicability-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
```
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-OmaUri-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection. This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Description-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Editable-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-DFProperties-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | Prompt for credentials on the secure desktop. |
| 2 (Default) | Prompt for consent on the secure desktop. |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-AllowedValues-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-GpMapping-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Examples-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers-Begin --> <!-- UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers ## UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
@ -4446,6 +4348,64 @@ User Account Control: Switch to the secure desktop when prompting for elevation
<!-- UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation-End --> <!-- UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Begin -->
## UserAccountControl_TypeOfAdminApprovalMode
<!-- UserAccountControl_TypeOfAdminApprovalMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UserAccountControl_TypeOfAdminApprovalMode-Applicability-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_TypeOfAdminApprovalMode
```
<!-- UserAccountControl_TypeOfAdminApprovalMode-OmaUri-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Configure type of Admin Approval Mode. This policy setting controls whether enhanced privilege protection is applied to admin approval mode elevations. If you change this policy setting, you must restart your computer. This policy is only supported on Windows Desktop, not Server. The options are: - Admin Approval Mode is running in legacy mode (default). - Admin Approval Mode is running with enhanced privilege protection.
<!-- UserAccountControl_TypeOfAdminApprovalMode-Description-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Editable-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- UserAccountControl_TypeOfAdminApprovalMode-DFProperties-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 (Default) | Legacy Admin Approval Mode. |
| 2 | Admin Approval Mode with enhanced privilege protection. |
<!-- UserAccountControl_TypeOfAdminApprovalMode-AllowedValues-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | User Account Control: Configure type of Admin Approval Mode |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- UserAccountControl_TypeOfAdminApprovalMode-GpMapping-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Examples-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-End -->
<!-- UserAccountControl_UseAdminApprovalMode-Begin --> <!-- UserAccountControl_UseAdminApprovalMode-Begin -->
## UserAccountControl_UseAdminApprovalMode ## UserAccountControl_UseAdminApprovalMode

105
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -1,7 +1,7 @@
--- ---
title: MixedReality Policy CSP title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP. description: Learn more about the MixedReality Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -321,6 +321,97 @@ This policy setting controls if pressing the brightness button changes the brigh
<!-- BrightnessButtonDisabled-End --> <!-- BrightnessButtonDisabled-End -->
<!-- ConfigureDeviceStandbyAction-Begin -->
## ConfigureDeviceStandbyAction
<!-- ConfigureDeviceStandbyAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeviceStandbyAction-Applicability-End -->
<!-- ConfigureDeviceStandbyAction-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyAction
```
<!-- ConfigureDeviceStandbyAction-OmaUri-End -->
<!-- ConfigureDeviceStandbyAction-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls device maintenance action during standby.
<!-- ConfigureDeviceStandbyAction-Description-End -->
<!-- ConfigureDeviceStandbyAction-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyAction-Editable-End -->
<!-- ConfigureDeviceStandbyAction-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeviceStandbyAction-DFProperties-End -->
<!-- ConfigureDeviceStandbyAction-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured. |
| 1 | Logoff users. |
| 2 | Reboot device. |
<!-- ConfigureDeviceStandbyAction-AllowedValues-End -->
<!-- ConfigureDeviceStandbyAction-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyAction-Examples-End -->
<!-- ConfigureDeviceStandbyAction-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Begin -->
## ConfigureDeviceStandbyActionTimeout
<!-- ConfigureDeviceStandbyActionTimeout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeviceStandbyActionTimeout-Applicability-End -->
<!-- ConfigureDeviceStandbyActionTimeout-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyActionTimeout
```
<!-- ConfigureDeviceStandbyActionTimeout-OmaUri-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls when to start maintenance action after device enters standby. The timeout value is in hours.
<!-- ConfigureDeviceStandbyActionTimeout-Description-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyActionTimeout-Editable-End -->
<!-- ConfigureDeviceStandbyActionTimeout-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-168]` |
| Default Value | 8 |
<!-- ConfigureDeviceStandbyActionTimeout-DFProperties-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyActionTimeout-Examples-End -->
<!-- ConfigureDeviceStandbyActionTimeout-End -->
<!-- ConfigureMovingPlatform-Begin --> <!-- ConfigureMovingPlatform-Begin -->
## ConfigureMovingPlatform ## ConfigureMovingPlatform
@ -643,7 +734,7 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
<!-- EnableStartMenuSingleHandGesture-Applicability-Begin --> <!-- EnableStartMenuSingleHandGesture-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuSingleHandGesture-Applicability-End --> <!-- EnableStartMenuSingleHandGesture-Applicability-End -->
<!-- EnableStartMenuSingleHandGesture-OmaUri-Begin --> <!-- EnableStartMenuSingleHandGesture-OmaUri-Begin -->
@ -692,7 +783,7 @@ This policy setting controls if pinching your thumb and index finger, while look
<!-- EnableStartMenuVoiceCommand-Applicability-Begin --> <!-- EnableStartMenuVoiceCommand-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuVoiceCommand-Applicability-End --> <!-- EnableStartMenuVoiceCommand-Applicability-End -->
<!-- EnableStartMenuVoiceCommand-OmaUri-Begin --> <!-- EnableStartMenuVoiceCommand-OmaUri-Begin -->
@ -741,7 +832,7 @@ This policy setting controls if using voice commands to open the Start menu is e
<!-- EnableStartMenuWristTap-Applicability-Begin --> <!-- EnableStartMenuWristTap-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuWristTap-Applicability-End --> <!-- EnableStartMenuWristTap-Applicability-End -->
<!-- EnableStartMenuWristTap-OmaUri-Begin --> <!-- EnableStartMenuWristTap-OmaUri-Begin -->
@ -1104,7 +1195,7 @@ The following example XML string shows the value to enable this policy:
<!-- PreferLogonAsOtherUser-Applicability-Begin --> <!-- PreferLogonAsOtherUser-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- PreferLogonAsOtherUser-Applicability-End --> <!-- PreferLogonAsOtherUser-Applicability-End -->
<!-- PreferLogonAsOtherUser-OmaUri-Begin --> <!-- PreferLogonAsOtherUser-OmaUri-Begin -->
@ -1153,7 +1244,7 @@ This policy configures whether the Sign-In App should prefer showing Other User
<!-- RequireStartIconHold-Applicability-Begin --> <!-- RequireStartIconHold-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- RequireStartIconHold-Applicability-End --> <!-- RequireStartIconHold-Applicability-End -->
<!-- RequireStartIconHold-OmaUri-Begin --> <!-- RequireStartIconHold-OmaUri-Begin -->
@ -1202,7 +1293,7 @@ This policy setting controls if it's require that the Start icon to be pressed f
<!-- RequireStartIconVisible-Applicability-Begin --> <!-- RequireStartIconVisible-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | | ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- RequireStartIconVisible-Applicability-End --> <!-- RequireStartIconVisible-Applicability-End -->
<!-- RequireStartIconVisible-OmaUri-Begin --> <!-- RequireStartIconVisible-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-mssecurityguide.md
View File

@ -1,7 +1,7 @@
--- ---
title: MSSecurityGuide Policy CSP title: MSSecurityGuide Policy CSP
description: Learn more about the MSSecurityGuide Area in Policy CSP. description: Learn more about the MSSecurityGuide Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MSSecurityGuide-Editable-Begin --> <!-- MSSecurityGuide-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MSSecurityGuide-Editable-End --> <!-- MSSecurityGuide-Editable-End -->
@ -221,7 +223,7 @@ ms.date: 01/18/2024
<!-- NetBTNodeTypeConfiguration-Applicability-Begin --> <!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetBTNodeTypeConfiguration-Applicability-End --> <!-- NetBTNodeTypeConfiguration-Applicability-End -->
<!-- NetBTNodeTypeConfiguration-OmaUri-Begin --> <!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->

16
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -1,7 +1,7 @@
--- ---
title: NetworkListManager Policy CSP title: NetworkListManager Policy CSP
description: Learn more about the NetworkListManager Area in Policy CSP. description: Learn more about the NetworkListManager Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- NetworkListManager-Begin --> <!-- NetworkListManager-Begin -->
# Policy CSP - NetworkListManager # Policy CSP - NetworkListManager
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- NetworkListManager-Editable-Begin --> <!-- NetworkListManager-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NetworkListManager-Editable-End --> <!-- NetworkListManager-Editable-End -->
@ -19,7 +21,7 @@ ms.date: 01/18/2024
<!-- AllNetworks_NetworkIcon-Applicability-Begin --> <!-- AllNetworks_NetworkIcon-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllNetworks_NetworkIcon-Applicability-End --> <!-- AllNetworks_NetworkIcon-Applicability-End -->
<!-- AllNetworks_NetworkIcon-OmaUri-Begin --> <!-- AllNetworks_NetworkIcon-OmaUri-Begin -->
@ -68,7 +70,7 @@ This policy setting allows you to specify whether users can change the network i
<!-- AllNetworks_NetworkLocation-Applicability-Begin --> <!-- AllNetworks_NetworkLocation-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllNetworks_NetworkLocation-Applicability-End --> <!-- AllNetworks_NetworkLocation-Applicability-End -->
<!-- AllNetworks_NetworkLocation-OmaUri-Begin --> <!-- AllNetworks_NetworkLocation-OmaUri-Begin -->
@ -117,7 +119,7 @@ This policy setting allows you to specify whether users can change the network l
<!-- AllNetworks_NetworkName-Applicability-Begin --> <!-- AllNetworks_NetworkName-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllNetworks_NetworkName-Applicability-End --> <!-- AllNetworks_NetworkName-Applicability-End -->
<!-- AllNetworks_NetworkName-OmaUri-Begin --> <!-- AllNetworks_NetworkName-OmaUri-Begin -->
@ -260,7 +262,7 @@ This policy setting provides the string that names a network. If this setting is
<!-- IdentifyingNetworks_LocationType-Applicability-Begin --> <!-- IdentifyingNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- IdentifyingNetworks_LocationType-Applicability-End --> <!-- IdentifyingNetworks_LocationType-Applicability-End -->
<!-- IdentifyingNetworks_LocationType-OmaUri-Begin --> <!-- IdentifyingNetworks_LocationType-OmaUri-Begin -->
@ -309,7 +311,7 @@ This policy setting allows you to configure the Network Location for networks th
<!-- UnidentifiedNetworks_LocationType-Applicability-Begin --> <!-- UnidentifiedNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UnidentifiedNetworks_LocationType-Applicability-End --> <!-- UnidentifiedNetworks_LocationType-Applicability-End -->
<!-- UnidentifiedNetworks_LocationType-OmaUri-Begin --> <!-- UnidentifiedNetworks_LocationType-OmaUri-Begin -->
@ -358,7 +360,7 @@ This policy setting allows you to configure the Network Location type for networ
<!-- UnidentifiedNetworks_UserPermissions-Applicability-Begin --> <!-- UnidentifiedNetworks_UserPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UnidentifiedNetworks_UserPermissions-Applicability-End --> <!-- UnidentifiedNetworks_UserPermissions-Applicability-End -->
<!-- UnidentifiedNetworks_UserPermissions-OmaUri-Begin --> <!-- UnidentifiedNetworks_UserPermissions-OmaUri-Begin -->

52
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
--- ---
title: Printers Policy CSP title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP. description: Learn more about the Printers Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -669,6 +669,56 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureRpcTcpPort-End --> <!-- ConfigureRpcTcpPort-End -->
<!-- ConfigureWindowsProtectedPrint-Begin -->
## ConfigureWindowsProtectedPrint
<!-- ConfigureWindowsProtectedPrint-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- ConfigureWindowsProtectedPrint-Applicability-End -->
<!-- ConfigureWindowsProtectedPrint-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint
```
<!-- ConfigureWindowsProtectedPrint-OmaUri-End -->
<!-- ConfigureWindowsProtectedPrint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- ConfigureWindowsProtectedPrint-Description-End -->
<!-- ConfigureWindowsProtectedPrint-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureWindowsProtectedPrint-Editable-End -->
<!-- ConfigureWindowsProtectedPrint-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureWindowsProtectedPrint-DFProperties-End -->
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureWindowsProtectedPrint |
| ADMX File Name | Printing.admx |
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-End -->
<!-- ConfigureWindowsProtectedPrint-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureWindowsProtectedPrint-Examples-End -->
<!-- ConfigureWindowsProtectedPrint-End -->
<!-- EnableDeviceControl-Begin --> <!-- EnableDeviceControl-Begin -->
## EnableDeviceControl ## EnableDeviceControl

4
windows/client-management/mdm/policy-csp-search.md
View File

@ -1,7 +1,7 @@
--- ---
title: Search Policy CSP title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP. description: Learn more about the Search Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -286,7 +286,7 @@ The most restrictive value is `0` to not allow indexing of encrypted items.
<!-- AllowSearchHighlights-Applicability-Begin --> <!-- AllowSearchHighlights-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2009 [10.0.19042.1620] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1620] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1620] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1761] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- AllowSearchHighlights-Applicability-End --> <!-- AllowSearchHighlights-Applicability-End -->
<!-- AllowSearchHighlights-OmaUri-Begin --> <!-- AllowSearchHighlights-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-smartscreen.md
View File

@ -1,7 +1,7 @@
--- ---
title: SmartScreen Policy CSP title: SmartScreen Policy CSP
description: Learn more about the SmartScreen Area in Policy CSP. description: Learn more about the SmartScreen Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -70,6 +70,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
|:--|:--| |:--|:--|
| 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. | | 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. |
| 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. | | 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. |
| 2 | Turns on Application Installation Control, letting users know that there's a comparable app in the Store. |
| 3 | Turns on Application Installation Control, warning users before installing apps from outside the Store. |
<!-- EnableAppInstallControl-AllowedValues-End --> <!-- EnableAppInstallControl-AllowedValues-End -->
<!-- EnableAppInstallControl-GpMapping-Begin --> <!-- EnableAppInstallControl-GpMapping-Begin -->

78
windows/client-management/mdm/policy-csp-sudo.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
<!-- Sudo-Begin -->
# Policy CSP - Sudo
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Sudo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Sudo-Editable-End -->
<!-- EnableSudo-Begin -->
## EnableSudo
<!-- EnableSudo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- EnableSudo-Applicability-End -->
<!-- EnableSudo-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Sudo/EnableSudo
```
<!-- EnableSudo-OmaUri-End -->
<!-- EnableSudo-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- EnableSudo-Description-End -->
<!-- EnableSudo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableSudo-Editable-End -->
<!-- EnableSudo-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableSudo-DFProperties-End -->
<!-- EnableSudo-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnableSudo |
| ADMX File Name | Sudo.admx |
<!-- EnableSudo-AdmxBacked-End -->
<!-- EnableSudo-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableSudo-Examples-End -->
<!-- EnableSudo-End -->
<!-- Sudo-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Sudo-CspMoreInfo-End -->
<!-- Sudo-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

4
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
--- ---
title: Update Policy CSP title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP. description: Learn more about the Update Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -275,7 +275,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
<!-- AllowOptionalContent-Applicability-Begin --> <!-- AllowOptionalContent-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 21H2 [10.0.19044.3757] and later |
<!-- AllowOptionalContent-Applicability-End --> <!-- AllowOptionalContent-Applicability-End -->
<!-- AllowOptionalContent-OmaUri-Begin --> <!-- AllowOptionalContent-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -1,7 +1,7 @@
--- ---
title: WebThreatDefense Policy CSP title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP. description: Learn more about the WebThreatDefense Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- WebThreatDefense-Begin --> <!-- WebThreatDefense-Begin -->
# Policy CSP - WebThreatDefense # Policy CSP - WebThreatDefense
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WebThreatDefense-Editable-Begin --> <!-- WebThreatDefense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE] > [!NOTE]
@ -21,7 +23,7 @@ ms.date: 01/18/2024
<!-- AutomaticDataCollection-Applicability-Begin --> <!-- AutomaticDataCollection-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 23H2 [10.0.22631] and later | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AutomaticDataCollection-Applicability-End --> <!-- AutomaticDataCollection-Applicability-End -->
<!-- AutomaticDataCollection-OmaUri-Begin --> <!-- AutomaticDataCollection-OmaUri-Begin -->

8
windows/client-management/mdm/policy-csp-wifi.md
View File

@ -1,7 +1,7 @@
--- ---
title: Wifi Policy CSP title: Wifi Policy CSP
description: Learn more about the Wifi Area in Policy CSP. description: Learn more about the Wifi Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- Wifi-Begin --> <!-- Wifi-Begin -->
# Policy CSP - Wifi # Policy CSP - Wifi
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Wifi-Editable-Begin --> <!-- Wifi-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Wifi-Editable-End --> <!-- Wifi-Editable-End -->
@ -227,7 +229,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
<!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-Begin --> <!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-End --> <!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-OmaUri-Begin --> <!-- AllowWFAQosManagementDSCPToUPMapping-OmaUri-Begin -->
@ -277,7 +279,7 @@ Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-F
<!-- AllowWFAQosManagementMSCS-Applicability-Begin --> <!-- AllowWFAQosManagementMSCS-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> | | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowWFAQosManagementMSCS-Applicability-End --> <!-- AllowWFAQosManagementMSCS-Applicability-End -->
<!-- AllowWFAQosManagementMSCS-OmaUri-Begin --> <!-- AllowWFAQosManagementMSCS-OmaUri-Begin -->

68
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
--- ---
title: WindowsAI Policy CSP title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP. description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 01/18/2024 ms.date: 01/31/2024
--- ---
<!-- Auto-Generated CSP Document --> <!-- Auto-Generated CSP Document -->
@ -9,17 +9,81 @@ ms.date: 01/18/2024
<!-- WindowsAI-Begin --> <!-- WindowsAI-Begin -->
# Policy CSP - WindowsAI # Policy CSP - WindowsAI
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsAI-Editable-Begin --> <!-- WindowsAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End --> <!-- WindowsAI-Editable-End -->
<!-- DisableAIDataAnalysis-Begin -->
## DisableAIDataAnalysis
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to prevent Windows AI from using and analyzing user patterns and data.
- If you enable this policy setting, Windows AI won't be able to take advantage of historical user patterns.
- If you disable or don't configure this policy setting, Windows AI will be able to assist users by considering their historical behaviors and data.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Editable-End -->
<!-- DisableAIDataAnalysis-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableAIDataAnalysis-DFProperties-End -->
<!-- DisableAIDataAnalysis-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enable Data Analysis for Windows AI. |
| 1 | Disable Data Analysis for Windows AI. |
<!-- DisableAIDataAnalysis-AllowedValues-End -->
<!-- DisableAIDataAnalysis-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
<!-- DisableAIDataAnalysis-GpMapping-End -->
<!-- DisableAIDataAnalysis-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Examples-End -->
<!-- DisableAIDataAnalysis-End -->
<!-- TurnOffWindowsCopilot-Begin --> <!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot ## TurnOffWindowsCopilot
<!-- TurnOffWindowsCopilot-Applicability-Begin --> <!-- TurnOffWindowsCopilot-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.3758] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.2361] and later <br> ✅ Windows 11, version 23H2 [10.0.22631] and later | | ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 21H2 [10.0.19044.3758] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.3758] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.2361] and later <br> ✅ Windows 11, version 23H2 [10.0.22631] and later |
<!-- TurnOffWindowsCopilot-Applicability-End --> <!-- TurnOffWindowsCopilot-Applicability-End -->
<!-- TurnOffWindowsCopilot-OmaUri-Begin --> <!-- TurnOffWindowsCopilot-OmaUri-Begin -->

2
windows/client-management/mdm/toc.yml
View File

@ -537,6 +537,8 @@ items:
href: policy-csp-stickers.md href: policy-csp-stickers.md
- name: Storage - name: Storage
href: policy-csp-storage.md href: policy-csp-storage.md
- name: Sudo
href: policy-csp-sudo.md
- name: System - name: System
href: policy-csp-system.md href: policy-csp-system.md
- name: SystemServices - name: SystemServices

367
windows/configuration/TOC.yml
View File

@ -1,367 +0,0 @@
- name: Configure Windows client
href: index.yml
- name: Customize the appearance
items:
- name: Windows 11
items:
- name: Start menu
items:
- name: Customize Start menu layout
href: customize-start-menu-layout-windows-11.md
- name: Supported Start menu CSPs
href: supported-csp-start-menu-layout-windows.md
- name: Taskbar
items:
- name: Customize Taskbar
href: customize-taskbar-windows-11.md
- name: Supported Taskbar CSPs
href: supported-csp-taskbar-windows.md
- name: Windows 10 Start and taskbar
items:
- name: Start layout and taskbar
href: windows-10-start-layout-options-and-policies.md
- name: Use XML
items:
- name: Customize and export Start layout
href: customize-and-export-start-layout.md
- name: Customize the taskbar
href: configure-windows-10-taskbar.md
- name: Add image for secondary Microsoft Edge tiles
href: start-secondary-tiles.md
- name: Start layout XML for Windows 10 desktop editions (reference)
href: start-layout-xml-desktop.md
- name: Use group policy
href: customize-windows-10-start-screens-by-using-group-policy.md
- name: Use provisioning packages
href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
- name: Use mobile device management (MDM)
href: customize-windows-10-start-screens-by-using-mobile-device-management.md
- name: Troubleshoot Start menu errors
href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors
- name: Changes to Start policies in Windows 10
href: changes-to-start-policies-in-windows-10.md
- name: Accessibility settings
items:
- name: Accessibility information for IT Pros
href: windows-accessibility-for-ITPros.md
- name: Configure access to Microsoft Store
href: stop-employees-from-using-microsoft-store.md
- name: Configure Windows Spotlight on the lock screen
href: windows-spotlight.md
- name: Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions
href: manage-tips-and-suggestions.md
- name: Configure cellular settings for tablets and PCs
href: provisioning-apn.md
- name: Lockdown features from Windows Embedded 8.1 Industry
href: lockdown-features-windows-10.md
- name: Configure kiosks and digital signs
items:
- name: Configure kiosks and digital signs on Windows desktop editions
href: kiosk-methods.md
- name: Prepare a device for kiosk configuration
href: kiosk-prepare.md
- name: Set up digital signs
href: setup-digital-signage.md
- name: Set up a single-app kiosk
href: kiosk-single-app.md
- name: Set up a multi-app kiosk for Windows 10
href: lock-down-windows-10-to-specific-apps.md
- name: Set up a multi-app kiosk for Windows 11
href: lock-down-windows-11-to-specific-apps.md
- name: Kiosk reference information
items:
- name: More kiosk methods and reference information
href: kiosk-additional-reference.md
- name: Find the Application User Model ID of an installed app
href: find-the-application-user-model-id-of-an-installed-app.md
- name: Validate your kiosk configuration
href: kiosk-validate.md
- name: Guidelines for choosing an app for assigned access (kiosk mode)
href: guidelines-for-assigned-access-app.md
- name: Policies enforced on kiosk devices
href: kiosk-policies.md
- name: Assigned access XML reference
href: kiosk-xml.md
- name: Use AppLocker to create a Windows 10 kiosk
href: lock-down-windows-10-applocker.md
- name: Use Shell Launcher to create a Windows client kiosk
href: kiosk-shelllauncher.md
- name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- name: Troubleshoot kiosk mode issues
href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
- name: Configure multi-user and guest devices
items:
- name: Shared devices concepts
href: shared-devices-concepts.md
- name: Configure shared devices with Shared PC
href: set-up-shared-or-guest-pc.md
- name: Shared PC technical reference
href: shared-pc-technical.md
- name: Use provisioning packages
items:
- name: Provisioning packages for Windows client
href: provisioning-packages/provisioning-packages.md
- name: How provisioning works in Windows client
href: provisioning-packages/provisioning-how-it-works.md
- name: Introduction to configuration service providers (CSPs)
href: provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
- name: Install Windows Configuration Designer
href: provisioning-packages/provisioning-install-icd.md
- name: Create a provisioning package
href: provisioning-packages/provisioning-create-package.md
- name: Apply a provisioning package
href: provisioning-packages/provisioning-apply-package.md
- name: Settings changed when you uninstall a provisioning package
href: provisioning-packages/provisioning-uninstall-package.md
- name: Provision PCs with common settings for initial deployment (desktop wizard)
href: provisioning-packages/provision-pcs-for-initial-deployment.md
- name: Provision PCs with apps
href: provisioning-packages/provision-pcs-with-apps.md
- name: Use a script to install a desktop app in provisioning packages
href: provisioning-packages/provisioning-script-to-install-app.md
- name: Create a provisioning package with multivariant settings
href: provisioning-packages/provisioning-multivariant.md
- name: PowerShell cmdlets for provisioning Windows client (reference)
href: provisioning-packages/provisioning-powershell.md
- name: Diagnose provisioning packages
href: provisioning-packages/diagnose-provisioning-packages.md
- name: Windows Configuration Designer command-line interface (reference)
href: provisioning-packages/provisioning-command-line.md
- name: Configure Cortana
items:
- name: Configure Cortana in Windows 10
href: cortana-at-work/cortana-at-work-overview.md
- name: Testing scenarios using Cortana n Windows 10, version 2004 and later
items:
- name: Set up and test Cortana in Windows 10, version 2004 and later
href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
- name: Cortana at work testing scenarios
href: cortana-at-work/cortana-at-work-testing-scenarios.md
- name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
href: cortana-at-work/cortana-at-work-scenario-1.md
- name: Test scenario 2 - Run a Bing search with Cortana
href: cortana-at-work/cortana-at-work-scenario-2.md
- name: Test scenario 3 - Set a reminder
href: cortana-at-work/cortana-at-work-scenario-3.md
- name: Test scenario 4 - Use Cortana to find free time on your calendar
href: cortana-at-work/cortana-at-work-scenario-4.md
- name: Test scenario 5 - Find out about a person
href: cortana-at-work/cortana-at-work-scenario-5.md
- name: Test scenario 6 - Change your language and run a quick search with Cortana
href: cortana-at-work/cortana-at-work-scenario-6.md
- name: Send feedback about Cortana back to Microsoft
href: cortana-at-work/cortana-at-work-feedback.md
- name: Testing scenarios using Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
items:
- name: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
href: cortana-at-work/cortana-at-work-o365.md
- name: Testing scenarios using Cortana in your business or organization
href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
- name: Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query
href: cortana-at-work/test-scenario-1.md
- name: Test scenario 2 - Run a quick search with Cortana at work
href: cortana-at-work/test-scenario-2.md
- name: Test scenario 3 - Set a reminder for a specific location using Cortana at work
href: cortana-at-work/test-scenario-3.md
- name: Test scenario 4 - Use Cortana at work to find your upcoming meetings
href: cortana-at-work/test-scenario-4.md
- name: Test scenario 5 - Use Cortana to send email to a coworker
href: cortana-at-work/test-scenario-5.md
- name: Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email
href: cortana-at-work/test-scenario-6.md
- name: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device
href: cortana-at-work/cortana-at-work-scenario-7.md
- name: Set up and test custom voice commands in Cortana for your organization
href: cortana-at-work/cortana-at-work-voice-commands.md
- name: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
href: cortana-at-work/cortana-at-work-policy-settings.md
- name: Reference
items:
- name: Windows Configuration Designer reference
items:
- name: Windows Configuration Designer provisioning settings (reference)
href: wcd/wcd.md
- name: Changes to settings in Windows Configuration Designer
href: wcd/wcd-changes.md
- name: AccountManagement
href: wcd/wcd-accountmanagement.md
- name: Accounts
href: wcd/wcd-accounts.md
- name: ADMXIngestion
href: wcd/wcd-admxingestion.md
- name: AssignedAccess
href: wcd/wcd-assignedaccess.md
- name: Browser
href: wcd/wcd-browser.md
- name: CellCore
href: wcd/wcd-cellcore.md
- name: Cellular
href: wcd/wcd-cellular.md
- name: Certificates
href: wcd/wcd-certificates.md
- name: CleanPC
href: wcd/wcd-cleanpc.md
- name: Connections
href: wcd/wcd-connections.md
- name: ConnectivityProfiles
href: wcd/wcd-connectivityprofiles.md
- name: CountryAndRegion
href: wcd/wcd-countryandregion.md
- name: DesktopBackgroundAndColors
href: wcd/wcd-desktopbackgroundandcolors.md
- name: DeveloperSetup
href: wcd/wcd-developersetup.md
- name: DeviceFormFactor
href: wcd/wcd-deviceformfactor.md
- name: DeviceManagement
href: wcd/wcd-devicemanagement.md
- name: DeviceUpdateCenter
href: wcd/wcd-deviceupdatecenter.md
- name: DMClient
href: wcd/wcd-dmclient.md
- name: EditionUpgrade
href: wcd/wcd-editionupgrade.md
- name: FirewallConfiguration
href: wcd/wcd-firewallconfiguration.md
- name: FirstExperience
href: wcd/wcd-firstexperience.md
- name: Folders
href: wcd/wcd-folders.md
- name: HotSpot
href: wcd/wcd-hotspot.md
- name: KioskBrowser
href: wcd/wcd-kioskbrowser.md
- name: Licensing
href: wcd/wcd-licensing.md
- name: Location
href: wcd/wcd-location.md
- name: Maps
href: wcd/wcd-maps.md
- name: NetworkProxy
href: wcd/wcd-networkproxy.md
- name: NetworkQOSPolicy
href: wcd/wcd-networkqospolicy.md
- name: OOBE
href: wcd/wcd-oobe.md
- name: Personalization
href: wcd/wcd-personalization.md
- name: Policies
href: wcd/wcd-policies.md
- name: Privacy
href: wcd/wcd-privacy.md
- name: ProvisioningCommands
href: wcd/wcd-provisioningcommands.md
- name: SharedPC
href: wcd/wcd-sharedpc.md
- name: SMISettings
href: wcd/wcd-smisettings.md
- name: Start
href: wcd/wcd-start.md
- name: StartupApp
href: wcd/wcd-startupapp.md
- name: StartupBackgroundTasks
href: wcd/wcd-startupbackgroundtasks.md
- name: StorageD3InModernStandby
href: wcd/wcd-storaged3inmodernstandby.md
- name: SurfaceHubManagement
href: wcd/wcd-surfacehubmanagement.md
- name: TabletMode
href: wcd/wcd-tabletmode.md
- name: TakeATest
href: wcd/wcd-takeatest.md
- name: Time
href: wcd/wcd-time.md
- name: UnifiedWriteFilter
href: wcd/wcd-unifiedwritefilter.md
- name: UniversalAppInstall
href: wcd/wcd-universalappinstall.md
- name: UniversalAppUninstall
href: wcd/wcd-universalappuninstall.md
- name: UsbErrorsOEMOverride
href: wcd/wcd-usberrorsoemoverride.md
- name: WeakCharger
href: wcd/wcd-weakcharger.md
- name: WindowsHelloForBusiness
href: wcd/wcd-windowshelloforbusiness.md
- name: WindowsTeamSettings
href: wcd/wcd-windowsteamsettings.md
- name: WLAN
href: wcd/wcd-wlan.md
- name: Workplace
href: wcd/wcd-workplace.md
- name: User Experience Virtualization (UE-V)
items:
- name: User Experience Virtualization (UE-V) for Windows 10
href: ue-v/uev-for-windows.md
- name: Get started with UE-V
items:
- name: Get started with UE-V
href: ue-v/uev-getting-started.md
- name: What's New in UE-V for Windows 10, version 1607
href: ue-v/uev-whats-new-in-uev-for-windows.md
- name: User Experience Virtualization Release Notes
href: ue-v/uev-release-notes-1607.md
- name: Upgrade to UE-V for Windows 10
href: ue-v/uev-upgrade-uev-from-previous-releases.md
- name: Prepare a UE-V Deployment
items:
- name: Prepare a UE-V Deployment
href: ue-v/uev-prepare-for-deployment.md
- name: Deploy Required UE-V Features
href: ue-v/uev-deploy-required-features.md
- name: Deploy UE-V for use with Custom Applications
href: ue-v/uev-deploy-uev-for-custom-applications.md
- name: Administer UE-V
items:
- name: UE-V administration guide
href: ue-v/uev-administering-uev.md
- name: Manage Configurations for UE-V
items:
- name: Manage Configurations for UE-V
href: ue-v/uev-manage-configurations.md
- name: Configuring UE-V with Group Policy Objects
href: ue-v/uev-configuring-uev-with-group-policy-objects.md
- name: Configuring UE-V with Microsoft Configuration Manager
href: ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
- name: Administering UE-V with Windows PowerShell and WMI
href: ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
- name: Managing the UE-V Service and Packages with Windows PowerShell and WMI
href: ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
- name: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
href: ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
- name: Working with Custom UE-V Templates and the UE-V Template Generator
href: ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
- name: Manage Administrative Backup and Restore in UE-V
href: ue-v/uev-manage-administrative-backup-and-restore.md
- name: Changing the Frequency of UE-V Scheduled Tasks
href: ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
- name: Migrating UE-V Settings Packages
href: ue-v/uev-migrating-settings-packages.md
- name: Using UE-V with Application Virtualization Applications
href: ue-v/uev-using-uev-with-application-virtualization-applications.md
- name: Troubleshooting UE-V
href: ue-v/uev-troubleshooting.md
- name: Technical Reference for UE-V
items:
- name: Technical Reference for UE-V
href: ue-v/uev-technical-reference.md
- name: Sync Methods for UE-V
href: ue-v/uev-sync-methods.md
- name: Sync Trigger Events for UE-V
href: ue-v/uev-sync-trigger-events.md
- name: Synchronizing Microsoft Office with UE-V
href: ue-v/uev-synchronizing-microsoft-office-with-uev.md
- name: Application Template Schema Reference for UE-V
href: ue-v/uev-application-template-schema-reference.md
- name: Security Considerations for UE-V
href: ue-v/uev-security-considerations.md

48
windows/configuration/windows-accessibility-for-ITPros.md → windows/configuration/accessibility/index.md
View File

@ -1,19 +1,9 @@
--- ---
title: Windows accessibility information for IT Pros title: Windows accessibility information for IT Pros
description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them. description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them.
ms.prod: windows-client ms.date: 01/25/2024
ms.technology: itpro-configure
ms.author: lizlong
author: lizgt2000
ms.date: 08/11/2023
ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
ms.topic: conceptual ms.topic: conceptual
ms.collection: tier1 ms.collection: tier1
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
--- ---
<!-- MAXADO-8138357 --> <!-- MAXADO-8138357 -->
@ -25,76 +15,54 @@ Microsoft is dedicated to making its products and services accessible and usable
This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features. This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features.
Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).<!-- 6294246 --> Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
<!-- 6294246 -->
## General recommendations ## General recommendations
- **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows. - **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows.
- **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings. - **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings.
- **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology. - **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology.
## Vision ## Vision
- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages. - [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages.
- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers. - [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops. - Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops.
- [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec) - [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec)
- [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a) - [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a)
- [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd) - [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd)
- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings. - Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings.
- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d). - [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d).
- Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse. - Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.
- Adjust the size of text, icons, and other screen items to make them easier to see. - Adjust the size of text, icons, and other screen items to make them easier to see.
- Many high-contrast themes are available to suit your needs. - Many high-contrast themes are available to suit your needs.
- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. - [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do. - [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do.
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. - [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. - [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants. - [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. - Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience.
## Hearing ## Hearing
- [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions. - [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions.
- Starting with Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446), live captions now supports additional languages. - Starting with Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446), live captions now supports additional languages.
- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said. - [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you. - [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). - [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1).
- Replace audible alerts with visual alerts. - Replace audible alerts with visual alerts.
- If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. - If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear. - Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear.
- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes. - [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes.
- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions. - Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions.
## Physical ## Physical
- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. - [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do. - [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do.
- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion. - [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion.
- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe). - [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe).
- If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys. - If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys.
@ -103,32 +71,24 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
## Cognition ## Cognition
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. - [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing. - [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing.
- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read. - [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read.
## Assistive technology devices built into Windows ## Assistive technology devices built into Windows
- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display. - [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script. - Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script.
- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
<!-- MAXADO-8138354 --> <!-- MAXADO-8138354 -->
- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition. - With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition.
- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
## Other resources ## Other resources
[Windows accessibility](https://www.microsoft.com/Accessibility/windows) [Windows accessibility](https://www.microsoft.com/Accessibility/windows)
[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software) [Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software)
[Inclusive design](https://www.microsoft.com/design/inclusive) [Inclusive design](https://www.microsoft.com/design/inclusive)
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide) [Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)

0
windows/configuration/images/apn-add-details.PNG → windows/configuration/cellular/images/apn-add-details.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

0
windows/configuration/images/apn-add.PNG → windows/configuration/cellular/images/apn-add.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

67
windows/configuration/provisioning-apn.md → windows/configuration/cellular/provisioning-apn.md
View File

@ -1,63 +1,40 @@
--- ---
title: Configure cellular settings for tablets and PCs (Windows 10) title: Configure cellular settings for tablets and PCs
description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
ms.reviewer: ms.topic: concept-article
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/13/2018 ms.date: 04/13/2018
ms.technology: itpro-configure
--- ---
# Configure cellular settings for tablets and PCs # Configure cellular settings for tablets and PCs
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings) >**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings)
Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect. Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect.
For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling. For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling.
## Prerequisites ## Prerequisites
- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education) - Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education)
- Tablet or PC with built-in cellular modem or plug-in USB modem dongle - Tablet or PC with built-in cellular modem or plug-in USB modem dongle
- [Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md)
- [Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
- APN (the address that your PC uses to connect to the Internet when using the cellular data connection) - APN (the address that your PC uses to connect to the Internet when using the cellular data connection)
>[!NOTE]
>You can get the APN from your mobile operator.
## How to configure cellular settings in a provisioning package ## How to configure cellular settings in a provisioning package
1. In Windows Configuration Designer, [start a new project](provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option. 1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
1. Enter a name for your project, and then click **Next**.
2. Enter a name for your project, and then click **Next**. 1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
1. Go to **Runtime settings > Connections > EnterpriseAPN**.
3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. 1. Enter a name for the connection, and then click **Add**.
4. Go to **Runtime settings > Connections > EnterpriseAPN**.
5. Enter a name for the connection, and then click **Add**.
![Example of APN connection name.](images/apn-add.png) ![Example of APN connection name.](images/apn-add.png)
6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. 1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
![settings for new connection.](images/apn-add-details.png) ![settings for new connection.](images/apn-add-details.png)
7. The following table describes the settings available for the connection. 1. The following table describes the settings available for the connection.
| Setting | Description | | Setting | Description |
| --- | --- | | --- | --- |
@ -73,44 +50,38 @@ For users who work in different locations, you can configure one APN to connect
| Roaming | Select the behavior that you want when the device is roaming. The options are:</br></br>-Disallowed</br>-Allowed (default)</br>-DomesticRoaming</br>-Use OnlyForDomesticRoaming</br>-UseOnlyForNonDomesticRoaming</br>-UseOnlyForRoaming | | Roaming | Select the behavior that you want when the device is roaming. The options are:</br></br>-Disallowed</br>-Allowed (default)</br>-DomesticRoaming</br>-Use OnlyForDomesticRoaming</br>-UseOnlyForNonDomesticRoaming</br>-UseOnlyForRoaming |
| UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. | | UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. |
8. After you configure the connection settings, [build the provisioning package](provisioning-packages/provisioning-create-package.md#build-package). 1. After you configure the connection settings, [build the provisioning package](../provisioning-packages/provisioning-create-package.md#build-package).
1. [Apply the package to devices.](../provisioning-packages/provisioning-apply-package.md)
9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md)
## Confirm the settings ## Confirm the settings
After you apply the provisioning package, you can confirm that the settings have been applied. After you apply the provisioning package, you can confirm that the settings have been applied.
1. On the configured device, open a command prompt as an administrator. 1. On the configured device, open a command prompt as an administrator.
1. Run the following command:
2. Run the following command: ```cmd
```
netsh mbn show profiles netsh mbn show profiles
``` ```
3. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run: 1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
``` ```cmd
netsh mbn show profiles name="name" netsh mbn show profiles name="name"
``` ```
This command will list details for that profile, including Access Point Name. This command will list details for that profile, including Access Point Name.
Alternatively, you can also use the command: Alternatively, you can also use the command:
``` ```cmd
netsh mbn show interface netsh mbn show interface
``` ```
From the results of that command, get the name of the cellular/mobile broadband interface and run: From the results of that command, get the name of the cellular/mobile broadband interface and run:
``` ```cmd
netsh mbn show connection interface="name" netsh mbn show connection interface="name"
``` ```
The result of that command will show details for the cellular interface, including Access Point Name. The result of that command will show details for the cellular interface, including Access Point Name.

91
windows/configuration/changes-to-start-policies-in-windows-10.md
View File

@ -1,91 +0,0 @@
---
title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience.
ms.reviewer:
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: whats-new
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.technology: itpro-configure
---
# Changes to Group Policy settings for Windows 10 Start
**Applies to**:
- Windows 10
Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**.
|Policy|Notes|
|--- |--- |
|Clear history of recently opened documents on exit|Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.|
|Don't allow pinning items in Jump Lists|Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.|
|Don't display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.|
|Don't keep history of recently opened documents|Documents that the user opens aren't tracked during the session.|
|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**|
|Prevent users from customizing their Start Screen|Use this policy with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it|
|Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)|
|Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.|
|Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This policy removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.|
|Remove common program groups from Start Menu|As in earlier versions of Windows, this policy removes apps specified in the All Users profile from Start|
|Remove frequent programs list from the Start Menu|In Windows 10, this policy removes the top left **Most used** group of apps.|
|Remove Logoff on the Start Menu|**Logoff** has been changed to **Sign Out** in the user interface, however the functionality is the same.|
|Remove pinned programs list from the Start Menu|In Windows 10, this policy removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).|
|Show "Run as different user" command on Start|This policy enables the **Run as different user** option in the right-click menu for apps.|
|Start Layout|This policy applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.|
|Force Start to be either full screen size or menu size|This policy applies a specific size for Start.|
## Deprecated Group Policy settings for Start
The Start policy settings listed in the following table don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
| Policy | When deprecated |
|----------------------------------------------------------------------------------|-----------------|
| Go to the desktop instead of Start when signing in | Windows 10 |
| List desktop apps first in the Apps view | Windows 10 |
| Pin Apps to Start when installed (User or Computer) | Windows 10 |
| Remove Default Programs link from the Start menu. | Windows 10 |
| Remove Documents icon from Start Menu | Windows 10 |
| Remove programs on Settings menu | Windows 10 |
| Remove Run menu from Start Menu | Windows 10 |
| Remove the "Undock PC" button from the Start Menu | Windows 10 |
| Search just apps from the Apps view | Windows 10 |
| Show Start on the display the user is using when they press the Windows logo key | Windows 10 |
| Show the Apps view automatically when the user goes to Start | Windows 10 |
| Add the Run command to the Start Menu | Windows 8 |
| Change Start Menu power button | Windows 8 |
| Gray unavailable Windows Installer programs Start Menu shortcuts | Windows 8 |
| Remove Downloads link from Start Menu | Windows 8 |
| Remove Favorites menu from Start Menu | Windows 8 |
| Remove Games link from Start Menu | Windows 8 |
| Remove Help menu from Start Menu | Windows 8 |
| Remove Homegroup link from Start Menu | Windows 8 |
| Remove Music icon from Start Menu | Windows 8 |
| Remove Network icon from Start Menu | Windows 8 |
| Remove Pictures icon from Start Menu | Windows 8 |
| Remove Recent Items menu from Start Menu | Windows 8 |
| Remove Recorded TV link from Start Menu | Windows 8 |
| Remove user folder link from Start Menu | Windows 8 |
| Remove Videos link from Start Menu | Windows 8 |
## Related topics
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)

140
windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -1,140 +0,0 @@
---
title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10)
description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
ms.reviewer:
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.localizationpriority: medium
ms.technology: itpro-configure
ms.date: 12/31/2017
---
# Customize Windows 10 Start and taskbar with provisioning packages
**Applies to**
- Windows 10
> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
> [!NOTE]
> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 10. It's not supported on Windows 11.
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
> [!IMPORTANT]
> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Three features enable Start and taskbar layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
> [!NOTE]
> To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet.
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
- In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout.
<span id="escape"/>
## <a href="" id="escape"></a>Prepare the Start layout XML file
The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
1. Copy the contents of layout.xml into an online tool that escapes characters.
3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project.
## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and click **StartLayout**.
> [!TIP]
> If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
7. Save your project and close Windows Configuration Designer.
7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
7. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png)
7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
8. Save and close the customizations.xml file.
8. Open Windows Configuration Designer and open your project.
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Copy the provisioning package to the target device.
17. Double-click the ppkg file and allow it to install.
## Related topics
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)

39
windows/configuration/docfx.json
View File

@ -41,9 +41,10 @@
"zone_pivot_group_filename": "resources/zone-pivot-groups.json", "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows", "uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-configure", "ms.subservice": "itpro-configure",
"ms.topic": "article", "ms.service": "windows-client",
"ms.prod": "windows-client", "ms.author": "paoloma",
"author": "paolomatarazzo",
"manager": "aaroncz", "manager": "aaroncz",
"feedback_system": "Standard", "feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@ -72,6 +73,37 @@
"fileMetadata": { "fileMetadata": {
"feedback_system": { "feedback_system": {
"ue-v/**/*.*": "None" "ue-v/**/*.*": "None"
},
"author":{
"wcd//**/*.md": "aczechowski",
"wcd//**/*.yml": "aczechowski",
"ue-v//**/*.md": "aczechowski",
"ue-v//**/*.yml": "aczechowski"
},
"ms.author":{
"wcd//**/*.md": "aaroncz",
"wcd//**/*.yml": "aaroncz",
"ue-v//**/*.md": "aaroncz",
"ue-v//**/*.yml": "aaroncz"
},
"ms.reviewer":{
"kiosk//**/*.md": "sybruckm",
"start//**/*.md": "ericpapa"
},
"ms.collection":{
"wcd//**/*.md": "must-keep",
"ue-v//**/*.md": [
"must-keep",
"tier3"
]
},
"appliesto": {
"*/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
],
"ue-v//**/*.md": "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"wcd//**/*.md": ""
} }
}, },
"template": [], "template": [],
@ -79,3 +111,4 @@
"markdownEngineName": "markdig" "markdownEngineName": "markdig"
} }
} }

0
windows/configuration/images/account-management-details.PNG → windows/configuration/images/account-management-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 23 KiB

0
windows/configuration/images/add-applications-details.PNG → windows/configuration/images/add-applications-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.8 KiB

After

Width:  |  Height:  |  Size: 6.8 KiB

0
windows/configuration/images/add-certificates-details.PNG → windows/configuration/images/add-certificates-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.8 KiB

After

Width:  |  Height:  |  Size: 6.8 KiB

0
windows/configuration/images/admx-category.PNG → windows/configuration/images/admx-category.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.4 KiB

After

Width:  |  Height:  |  Size: 8.4 KiB

0
windows/configuration/images/admx-policy.PNG → windows/configuration/images/admx-policy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/configuration/images/apn-add-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/configuration/images/apn-add.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

0
windows/configuration/images/customization-start-edge.PNG → windows/configuration/images/customization-start-edge.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.8 KiB

After

Width:  |  Height:  |  Size: 7.8 KiB

0
windows/configuration/images/customization-start.PNG → windows/configuration/images/customization-start.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.1 KiB

After

Width:  |  Height:  |  Size: 5.1 KiB

BIN
windows/configuration/images/customize-start-menu-layout-windows-11/start-menu-layout.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 121 KiB

0
windows/configuration/images/icd-create-options-1703.PNG → windows/configuration/images/icd-create-options-1703.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 21 KiB

0
windows/configuration/images/icd-desktop-1703.PNG → windows/configuration/images/icd-desktop-1703.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.6 KiB

After

Width:  |  Height:  |  Size: 7.6 KiB

0
windows/configuration/images/icd-runtime.PNG → windows/configuration/images/icd-runtime.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 22 KiB

0
windows/configuration/images/icd-setting-help.PNG → windows/configuration/images/icd-setting-help.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 98 KiB

After

Width:  |  Height:  |  Size: 98 KiB

0
windows/configuration/images/icd-step1.PNG → windows/configuration/images/icd-step1.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.2 KiB

After

Width:  |  Height:  |  Size: 7.2 KiB

0
windows/configuration/images/icd-step2.PNG → windows/configuration/images/icd-step2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

0
windows/configuration/images/icd-step3.PNG → windows/configuration/images/icd-step3.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

0
windows/configuration/images/icd-step4.PNG → windows/configuration/images/icd-step4.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
windows/configuration/images/icd-step5.PNG → windows/configuration/images/icd-step5.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.1 KiB

After

Width:  |  Height:  |  Size: 6.1 KiB

0
windows/configuration/images/icd-switch.PNG → windows/configuration/images/icd-switch.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

3
windows/configuration/images/icons/accessibility.svg Normal file
View File

@ -0,0 +1,3 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

3
windows/configuration/images/icons/windows-os.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
<path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 215 B

0
windows/configuration/images/kiosk-account-details.PNG → windows/configuration/images/kiosk-account-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

0
windows/configuration/images/kiosk-common-details.PNG → windows/configuration/images/kiosk-common-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

0
windows/configuration/images/kiosk-desktop.PNG → windows/configuration/images/kiosk-desktop.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 21 KiB

0
windows/configuration/images/kiosk-fullscreen.PNG → windows/configuration/images/kiosk-fullscreen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

0
windows/configuration/images/kiosk-settings.PNG → windows/configuration/images/kiosk-settings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/configuration/images/kiosk.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.3 KiB

BIN
windows/configuration/images/office-logo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.5 KiB

0
windows/configuration/images/set-up-device-details-desktop.PNG → windows/configuration/images/set-up-device-details-desktop.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

0
windows/configuration/images/set-up-device-details.PNG → windows/configuration/images/set-up-device-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
windows/configuration/images/set-up-network-details-desktop.PNG → windows/configuration/images/set-up-network-details-desktop.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.6 KiB

After

Width:  |  Height:  |  Size: 7.6 KiB

0
windows/configuration/images/set-up-network-details.PNG → windows/configuration/images/set-up-network-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

Some files were not shown because too many files have changed in this diff Show More