deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Acrolinx enhancement

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-04-13 13:46:34 +05:30
parent 9c8783f1de
commit 3d40b58028
12 changed files with 160 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
windows/client-management/mdm/policy-csp-defender.md
View File

@ -610,7 +610,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop.
Allows or disallows Windows Defender Realtime Monitoring functionality.
Allows or disallows Windows Defender real-time Monitoring functionality.
<!--/Description-->
<!--ADMXMapped-->
@ -761,7 +761,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop.
Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed.
<!--/Description-->
<!--ADMXMapped-->
@ -863,7 +863,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 for desktop.
This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (Azure Site Recovery) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
@ -966,11 +966,11 @@ Valid values: 0100
<!--Description-->
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.
This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
This setting applies to scheduled scans and the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
If you enable this setting, a check for new definitions will occur before running a scan.
If you disable this setting or do not configure this setting, the scan will start using the existing definitions.
If you disable this setting or don't configure this setting, the scan will start using the existing definitions.
Supported values:
@ -1057,7 +1057,7 @@ The following list shows the supported values:
- 0x0 - Default windows defender blocking level
- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)      
- 0x4 - High+ blocking level aggressively block unknowns and apply additional protection measures (may impact  client performance)
- 0x4 - High+ blocking level aggressively block unknowns and apply more protection measures (may impact  client performance)
- 0x6 - Zero tolerance blocking level block all unknown executables
<!--/SupportedValues-->
@ -1097,7 +1097,7 @@ The following list shows the supported values:
This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds.
For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
@ -1148,7 +1148,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it won't be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
<!--/Description-->
<!--ADMXMapped-->
@ -1194,7 +1194,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator.
This policy setting allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can't be changed. Value type is string. Use the | as the substring separator.
<!--/Description-->
<!--ADMXMapped-->
@ -1244,7 +1244,7 @@ ADMX Info:
Time period (in days) that quarantine items will be stored on the system.
The default value is 0, which keeps items in quarantine, and does not automatically remove them.
The default value is 0, which keeps items in quarantine, and doesn't automatically remove them.
<!--/Description-->
<!--ADMXMapped-->
@ -1293,9 +1293,9 @@ Valid values: 090
<!--Description-->
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned off.
Supported values:
@ -1356,9 +1356,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned off.
Supported values:
@ -1475,7 +1475,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul
If you enable this setting, low CPU priority will be used during scheduled scans.
If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans.
Supported values:
@ -1535,13 +1535,13 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
This policy allows you to turn on network protection (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This protection includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
If you do not configure this policy, network blocking will be disabled by default.
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You'll be able to see this activity in Windows Defender Security Center.
If you enable this policy with the ""Audit"" option, users/apps won't be blocked from connecting to dangerous domains. However, you'll still see this activity in Windows Defender Security Center.
If you disable this policy, users/apps won't be blocked from connecting to dangerous domains. You'll not see any network activity in Windows Defender Security Center.
If you don't configure this policy, network blocking will be disabled by default.
<!--/Description-->
<!--ADMXMapped-->
@ -1761,8 +1761,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
- 1 PUA Protection on. Detected items are blocked. They will show in history along with other threats.
- 0 (default) PUA Protection off. Windows Defender won't protect against potentially unwanted applications.
- 1 PUA Protection on. Detected items are blocked. They'll show in history along with other threats.
- 2 Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
<!--/SupportedValues-->
@ -2095,7 +2095,7 @@ Valid values: 01380.
<!--Description-->
This policy setting allows you to define the security intelligence location for VDI-configured computers.
If you disable or do not configure this setting, security intelligence will be referred from the default local source.
If you disable or don't configure this setting, security intelligence will be referred from the default local source.
<!--/Description-->
<!--ADMXMapped-->
@ -2155,9 +2155,9 @@ Possible values are:
For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC
If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
If you disable or do not configure this setting, definition update sources will be contacted in a default order.
If you disable or don't configure this setting, definition update sources will be contacted in a default order.
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder
@ -2217,9 +2217,9 @@ For example: \\unc1\Signatures | \\unc2\Signatures
The list is empty by default.
If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted.
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources

34
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -204,7 +204,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This policy means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
<!--/Description-->
<!--ADMXMapped-->
@ -310,7 +310,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
This policy allows you to configure one or more Delivery Optimizations in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
<!--/Description-->
<!--ADMXMapped-->
@ -374,7 +374,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a
<!--Description-->
This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from peers. Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600).
After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from peers. A download that is waiting for peer sources will appear to be stuck for the end user. The recommended value is 1 hour (3600).
<!--/Description-->
<!--ADMXMapped-->
@ -529,9 +529,9 @@ Supported values: 0 - one month (in seconds)
<!--Description-->
This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
Note that a download that is waiting for peer sources, will appear to be stuck for the end user.
A download that is waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 minute (60).
@ -550,7 +550,7 @@ The following list shows the supported values as number of seconds:
- 0 to 86400 (1 day)
- 0 - managed by the cloud service
- Default is not configured.
- Default isn't configured.
<!--/SupportedValues-->
<!--/Policy-->
@ -607,8 +607,8 @@ The following list shows the supported values:
- 1 (default) HTTP blended with peering behind the same NAT.
- 2 HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 HTTP blended with Internet peering.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
- 100 - Bypass mode. Don't use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. This value is deprecated and will be removed in a future release.
<!--/SupportedValues-->
<!--/Policy-->
@ -645,7 +645,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
This policy specifies an arbitrary group ID that the device belongs to. Use this ID if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. This approach is a best effort optimization and shouldn't be relied on for an authentication of identity.
> [!NOTE]
> You must use a GUID as the group ID.
@ -701,7 +701,7 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this task, set the value of DOGroupIdSource to 5.
<!--/Description-->
<!--ADMXMapped-->
@ -802,7 +802,7 @@ ADMX Info:
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607.
The default value is 259200 seconds (3 days).
@ -947,7 +947,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which is not used in commercial deployments. There is no alternate policy to use.
This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which isn't used in commercial deployments. There's no alternate policy to use.
<!--/Description-->
<!--ADMXMapped-->
@ -1332,7 +1332,7 @@ ADMX Info:
<!--Description-->
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
Downloads from LAN peers won't be throttled even when this policy is set.
<!--/Description-->
<!--ADMXMapped-->
@ -1390,12 +1390,12 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt
<!--Description-->
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
Note that downloads from LAN peers will not be throttled even when this policy is set.
Downloads from LAN peers won't be throttled even when this policy is set.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly namee: *Maximum Foreground Download Bandwidth (percentage)*
- GP Friendly name: *Maximum Foreground Download Bandwidth (percentage)*
- GP name: *PercentageMaxForegroundBandwidth*
- GP element: *PercentageMaxForegroundBandwidth*
- GP path: *Windows Components/Delivery Optimization*
@ -1499,7 +1499,7 @@ ADMX Info:
<!--/ADMXBacked-->
<!--SupportedValues-->
This policy allows an IT Admin to define the following:
This policy allows an IT Admin to define the following details:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for background traffic during business hours
@ -1551,7 +1551,7 @@ ADMX Info:
<!--/ADMXBacked-->
<!--SupportedValues-->
This policy allows an IT Admin to define the following:
This policy allows an IT Admin to define the following details:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for foreground traffic during business hours

10
windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
View File

@ -63,14 +63,14 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service which requires it.
DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 The DeviceHealthMonitoring connection is enabled.
- 0 (default) The DeviceHealthMonitoring connection is disabled.
- 1—The DeviceHealthMonitoring connection is enabled.
- 0 (default)—The DeviceHealthMonitoring connection is disabled.
<!--/SupportedValues-->
<!--Example-->
@ -112,7 +112,7 @@ The following list shows the supported values:
<!--Description-->
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection.
IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
<!--/Description-->
@ -158,7 +158,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
<!--Description-->
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
In most cases, an IT Pro does not need to define this policy. Instead, it is expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service.
In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service.
<!--/Description-->

60
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -96,15 +96,15 @@ When this policy setting is enabled together with the "Apply layered order of ev
- Prevent installation of devices that match these device IDs
- Prevent installation of devices that match any of these device instance IDs
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
> [!NOTE]
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@ -146,7 +146,7 @@ To enable this policy, use the following SyncML. This example allows Windows to
</SyncML>
```
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
@ -197,16 +197,16 @@ This policy setting allows you to specify a list of Plug and Play device instanc
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
- Prevent installation of devices that match any of these device instance IDs
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
> [!NOTE]
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@ -246,7 +246,7 @@ To enable this policy, use the following SyncML.
</SyncBody>
</SyncML>
```
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
``` txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
@ -299,16 +299,16 @@ When this policy setting is enabled together with the "Apply layered order of ev
- Prevent installation of devices that match these device IDs
- Prevent installation of devices that match any of these device instance IDs
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
> [!NOTE]
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@ -355,7 +355,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
</SyncML>
```
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
@ -421,7 +421,7 @@ Device instance IDs > Device IDs > Device setup class > Removable devices
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
<!--/Description-->
@ -457,7 +457,7 @@ ADMX Info:
</SyncML>
```
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
@ -468,7 +468,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
```
You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image.":::
:::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image.":::
<!--/Example-->
<!--Validation-->
@ -506,9 +506,9 @@ You can also change the evaluation order of device installation policy settings
<!--Description-->
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
If you enable this policy setting, Windows doesn't retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
If you disable or don't configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
<!--/Description-->
@ -561,14 +561,14 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.
This policy setting allows you to prevent the installation of devices that aren't described by any other policy setting.
> [!NOTE]
> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that isn't described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
If you disable or don't configure this policy setting, Windows is allowed to install or update the driver package for any device that isn't described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
<!--/Description-->
@ -585,7 +585,7 @@ ADMX Info:
<!--/SupportedValues-->
<!--Example-->
To enable this policy, use the following SyncML. This example prevents Windows from installing devices that are not specifically described by any other policy setting.
To enable this policy, use the following SyncML. This example prevents Windows from installing devices that aren't described by any other policy setting.
```xml
@ -607,7 +607,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
</SyncML>
```
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
@ -661,7 +661,7 @@ This policy setting allows you to specify a list of Plug and Play hardware IDs a
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@ -703,7 +703,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
</SyncML>
```
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
@ -756,7 +756,7 @@ This policy setting allows you to specify a list of Plug and Play device instanc
If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@ -795,7 +795,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
</SyncBody>
</SyncML>
```
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
``` txt
>>> [Device Installation Restrictions Policy Check]
@ -819,7 +819,7 @@ Replace
with
```USBSTOR\DISK&amp;VEN_SAMSUNG&amp;PROD_FLASH_DRIVE&amp;REV_1100\0376319020002347&amp;0```
> [!Note]
> Do not use spaces in the value.
> don't use spaces in the value.
3. Replace the device instance IDs with `&amp;` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile.
<!--/Example-->
@ -864,7 +864,7 @@ This policy setting allows you to specify a list of device setup class globally
If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@ -911,7 +911,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
</SyncML>
```
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]

30
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -152,7 +152,7 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th
> This policy must be wrapped in an Atomic command.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
@ -377,16 +377,16 @@ Specifies when the password expires (in days).
If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 730.
- 0 (default) - Passwords do not expire.
- 0 (default) - Passwords don't expire.
<!--/SupportedValues-->
<!--/Policy-->
@ -425,11 +425,11 @@ Specifies how many passwords can be stored in the history that cant be used.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
Max policy value is the most restricted.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
@ -470,7 +470,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
Specifies the default lock screen and sign-in image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and sign-in screens. Users won't be able to change this image.
> [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
@ -516,14 +516,14 @@ The number of authentication failures allowed before the device will be wiped. A
> This policy must be wrapped in an Atomic command.
On a client device, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
On a client device, when the user reaches the value set by this policy, it isn't wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker isn't enabled, then the policy can't be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
@ -573,7 +573,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
@ -651,9 +651,9 @@ Enforced values for Local and Microsoft Accounts:
- Base 10 digits (0 through 9)
- Special characters (!, $, \#, %, etc.)
The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
<!--/Description-->
<!--/Policy-->
@ -698,7 +698,7 @@ Specifies the minimum number or characters required in the PIN or password.
Max policy value is the most restricted.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
<!--/Description-->
<!--SupportedValues-->
@ -767,7 +767,7 @@ This security setting determines the period of time (in days) that a password mu
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting doesn't follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user doesn't have to choose a new password. For this reason, Enforce password history is set to 1 by default.
<!--/Description-->
<!--DbMapped-->
@ -811,7 +811,7 @@ Disables the lock screen camera toggle switch in PC Settings and prevents a came
By default, users can enable invocation of an available camera on the lock screen.
If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen.
If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera can't be invoked on the lock screen.
<!--/Description-->
> [!TIP]

26
windows/client-management/mdm/policy-csp-display.md
View File

@ -113,19 +113,19 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario will be blurry until you log out and back in to Windows.
Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows.
When you enable this policy some blurry applications will be crisp after they are restarted, without requiring the user to log out and back in to Windows.
When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows.
Be aware of the following:
Be aware of the following points:
Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display that has the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display having the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
Per Process System DPI will not work for all applications as some older desktop applications will always be blurry on high DPI displays.
Per Process System DPI won't work for all applications as some older desktop applications will always be blurry on high DPI displays.
In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or do not configure this setting. Per Process System DPI will not apply to any processes on the system.
Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or don't configure this setting, Per Process System DPI won't apply to any processes on the system.
<!--/Description-->
<!--ADMXMapped-->
@ -218,13 +218,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they're enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
@ -239,7 +239,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--Validation-->
To validate on Desktop, do the following:
To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
2. Run the app and observe blurry text.
@ -276,13 +276,13 @@ To validate on Desktop, do the following:
<!--/Scope-->
<!--Description-->
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
@ -297,7 +297,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--Validation-->
To validate on Desktop, do the following:
To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which uses GDI.
2. Run the app and observe crisp text.

8
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - DmaGuard
description: Learn how to use the Policy CSP - DmaGuard setting to provide additional security against external DMA capable devices.
description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -56,11 +56,11 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
> [!NOTE]
> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.

4
windows/client-management/mdm/policy-csp-education.md
View File

@ -65,7 +65,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality.
This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -147,7 +147,7 @@ The policy value is expected to be the name (network host name) of an installed
<!--/Scope-->
<!--Description-->
Allows IT Admins to prevent user installation of additional printers from the printers settings.
Allows IT Admins to prevent user installation of more printers from the printers settings.
<!--/Description-->
<!--ADMXMapped-->

28
windows/client-management/mdm/policy-csp-errorreporting.md
View File

@ -75,19 +75,19 @@ manager: dansimp
<!--Description-->
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those even types for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any extra data requested by Microsoft.
- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send any extra data requested by Microsoft.
- 4 (Send all data): Any data requested by Microsoft is sent automatically.
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting.
<!--/Description-->
@ -129,11 +129,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel.
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
<!--/Description-->
@ -179,9 +179,9 @@ This policy setting controls whether users are shown an error dialog box that le
If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
If you disable this policy setting, users aren't notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that don't have interactive users.
If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
If you don't configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
See also the Configure Error Reporting policy setting.
@ -225,11 +225,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
This policy setting controls whether extra data in support of error reports can be sent to Microsoft automatically.
If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you enable this policy setting, any extra data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
<!--/Description-->
@ -273,9 +273,9 @@ ADMX Info:
<!--Description-->
This policy setting prevents the display of the user interface for critical errors.
If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
If you enable this policy setting, Windows Error Reporting doesn't display any GUI-based error messages or dialog boxes for critical errors.
If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
If you disable or don't configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
<!--/Description-->

18
windows/client-management/mdm/policy-csp-eventlogservice.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - EventLogService
description: Learn how to use the Policy CSP - EventLogService settting to control Event Log behavior when the log file reaches its maximum size.
description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -67,9 +67,9 @@ manager: dansimp
<!--Description-->
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
@ -115,9 +115,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--/Description-->
@ -161,9 +161,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--/Description-->
@ -207,9 +207,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
<!--/Description-->

42
windows/client-management/mdm/policy-csp-experience.md
View File

@ -155,7 +155,7 @@ ADMX Info:
1. Configure Experiences/AllowClipboardHistory to 0.
1. Open Notepad (or any editor app), select a text, and copy it to the clipboard.
1. Press Win+V to open the clipboard history UI.
1. You should not see any clipboard item including current item you copied.
1. You shouldn't see any clipboard item including current item you copied.
1. The setting under Settings App->System->Clipboard should be grayed out with policy warning.
<!--/Validation-->
@ -241,7 +241,7 @@ The following list shows the supported values:
<!--Description-->
Allows users to turn on/off device discovery UX.
When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys won't work on.
Most restricted value is 0.
@ -287,7 +287,7 @@ This policy turns on Find My Device.
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
When Find My Device is off, the device and its location aren't registered and the Find My Device feature won't work. In Windows 10, version 1709 the user won't be able to view the location of the last use of their active digitizer on their device.
<!--/Description-->
<!--ADMXMapped-->
@ -335,7 +335,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g., auto-enrolled), then disabling the MDM unenrollment has no effect.
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (for example, auto-enrolled), then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account.
@ -398,7 +398,7 @@ This policy is deprecated.
<!--/Description-->
<!--SupportedValues-->
Describe what value are supported in by this policy and meaning of each value is default value.
Describe what values are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
@ -443,7 +443,7 @@ This policy is deprecated.
<!--/Description-->
<!--SupportedValues-->
Describes what value are supported in by this policy and meaning of each value is default value.
Describes what values are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
@ -482,7 +482,7 @@ Allows or disallows all Windows sync settings on the device. For information abo
<!--SupportedValues-->
The following list shows the supported values:
- 0 Sync settings are not allowed.
- 0 Sync settings aren't allowed.
- 1 (default) Sync settings allowed.
<!--/SupportedValues-->
@ -517,12 +517,12 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows won't use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or don't configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
> [!NOTE]
> This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
> This setting doesn't control Cortana cutomized experiences because there are separate policies to configure it.
Most restricted value is 0.
@ -682,7 +682,7 @@ The following list shows the supported values:
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
Most restricted value is 0.
@ -733,7 +733,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or don't configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
Most restricted value is 0.
@ -837,7 +837,7 @@ The following list shows the supported values:
<!--Description-->
This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or don't configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
Most restricted value is 0.
@ -942,7 +942,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
- 0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition.
- 1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings.
- 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings.
- 3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings.
- 3 - Disabled: The Chat icon won't be displayed, and users can't show or hide it in Settings.
> [!NOTE]
> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts.
@ -982,7 +982,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization doesn't have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
<!--/Description-->
<!--ADMXMapped-->
@ -1033,7 +1033,7 @@ This policy setting lets you turn off cloud optimized content in all Windows exp
If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content.
If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content.
If you disable or don't configure this policy setting, Windows experiences will be able to use cloud optimized content.
<!--/Description-->
<!--ADMXMapped-->
@ -1083,9 +1083,9 @@ The following list shows the supported values:
<!--Description-->
Prevents devices from showing feedback questions from Microsoft.
If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or don't configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
If you disable or don't configure this policy setting, users can control how often they receive feedback questions.
<!--/Description-->
<!--ADMXMapped-->
@ -1099,7 +1099,7 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
- 0 (default) Feedback notifications aren't disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
- 1 Feedback notifications are disabled.
<!--/SupportedValues-->
@ -1151,7 +1151,7 @@ ADMX Info:
Supported values:
- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
- 2 - Prevented/turned off. The "browser" group doesn't use the _Sync your Settings_ option.
_**Sync the browser settings automatically**_
@ -1291,7 +1291,7 @@ If you enable this policy setting, the lock option is shown in the User Tile men
If you disable this policy setting, the lock option is never shown in the User Tile menu.
If you do not configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel.
If you don't configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel.
<!--/Description-->
<!--ADMXMapped-->
@ -1304,7 +1304,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- false - The lock option is not displayed in the User Tile menu.
- false - The lock option isn't displayed in the User Tile menu.
- true (default) - The lock option is displayed in the User Tile menu.
<!--/SupportedValues-->

6
windows/client-management/mdm/policy-csp-handwriting.md
View File

@ -58,11 +58,11 @@ manager: dansimp
<!--Description-->
This policy allows an enterprise to configure the default mode for the handwriting panel.
The handwriting panel has 2 modes - floats near the text box, or docked to the bottom of the screen. The default configuration to is floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
The handwriting panel has two modes - floats near the text box, or docked to the bottom of the screen. The default configuration is the one floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen.
In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and does not require any user interaction.
In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction.
The docked mode is especially useful in Kiosk mode where you do not expect the end-user to drag the flying-in panel out of the way.
The docked mode is especially useful in Kiosk mode where you don't expect the end-user to drag the flying-in panel out of the way.
<!--/Description-->
<!--ADMXMapped-->