deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into aljupudi-586419-cspimprovementtask-08

Browse Source
This commit is contained in:
Daniel Simpson 2022-06-10 14:36:27 -07:00 committed by GitHub
commit 41a3a7ac8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
560 changed files with 6158 additions and 4915 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.openpublishing.redirection.json
View File

@ -19549,6 +19549,11 @@
"source_path": "windows/client-management/mdm/proxy-csp.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
}
},
{
"source_path": "windows/client-management/img-boot-sequence.md",
"redirect_url": "/windows/client-management/advanced-troubleshooting-boot-problems#boot-sequence",
"redirect_document_id": false
}
]
}

2
education/windows/test-windows10s-for-edu.md
View File

@ -111,7 +111,7 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
- Local administrator
- Microsoft Account (MSA) administrator
- Microsoft account administrator
- Azure Active Directory administrator
> [!WARNING]

4
education/windows/windows-11-se-overview.md
View File

@ -74,7 +74,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|NextUp Talker |1.0.49 |Win32 |NextUp Technologies|
|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA|
|Pearson TestNav |1.10.2.0 |Win32 |Pearson|
|Pearson TestNav |1.10.2.0 |Store |Pearson|
|Questar Secure Browser |4.8.3.376 |Win32 |Questar|
|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
|Remote Help |3.8.0.12 |Win32 |Microsoft|
@ -82,7 +82,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
|SensoCloud |2021.11.15.0 |Win32|Senso.Cloud|
|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
|Zoom |5.9.1 (2581)|Win32 |Zoom|
|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|

3
smb/breadcrumb/toc.yml
View File

@ -1,10 +1,11 @@
items:
- name: Docs
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows
topicHref: https://docs.microsoft.com/windows/#pivot=it-pro
topicHref: /windows/resources/
items:
- name: SMB
tocHref: /windows/smb

7
store-for-business/manage-private-store-settings.md
View File

@ -50,10 +50,11 @@ You can create collections of apps within your private store. Collections allow
You can add a collection to your private store from the private store, or from the details page for an app.
**From private store**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.</br>
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
3. Click **Add a Collection**.</br>
![Image showing Add a Collection.](images/msfb-add-collection.png)
@ -65,6 +66,7 @@ You can add a collection to your private store from the private store, or from t
> New collections require at least one app, or they will not be created.
**From app details page**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.
@ -84,12 +86,13 @@ If you've already added a Collection to your private store, you can easily add a
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.</br>
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
3. Click the ellipses next to the collection name, and click **Edit collection**.
4. Add or remove products from the collection, and then click **Done**.
You can also add an app to a collection from the app details page.
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.

2
store-for-business/working-with-line-of-business-apps.md
View File

@ -45,7 +45,7 @@ You'll need to set up:
- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
The process and timing look like this:
![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png)
![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for Microsoft Store for Business admin, LOB publisher, and Developer.](images/lob-workflow.png)
## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
Admins need to invite developer or ISVs to become an LOB publisher.

245
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -2,11 +2,11 @@
title: Advanced troubleshooting for Windows boot problems
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: aczechowski
ms.technology: windows
ms.localizationpriority: medium
ms.date: 06/02/2022
author: aczechowski
ms.author: aaroncz
ms.date: 11/16/2018
ms.reviewer:
manager: dougeby
ms.topic: troubleshooting
@ -15,16 +15,15 @@ ms.collection: highpri
# Advanced troubleshooting for Windows boot problems
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues</span>
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues.</span>
> [!NOTE]
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5).
## Summary
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
@ -32,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
**1. PreBoot**
1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
**2. Windows Boot Manager**
3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
**3. Windows operating system loader**
Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
**4. Windows NT OS Kernel**
The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)<br>
[Click to enlarge](img-boot-sequence.md)<br>
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
<a name="boot-sequence"></a>
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger.
:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png":::
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
@ -69,7 +58,6 @@ Each phase has a different approach to troubleshooting. This article provides tr
>
> `Bcdedit /set {default} bootmenupolicy legacy`
## BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
@ -86,26 +74,25 @@ To determine whether the system has passed the BIOS phase, follow these steps:
If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase:
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
- Boot Configuration Data (BCD) missing or corrupted
- Boot file or MBR corrupted
- Operating system Missing
- Boot sector missing or corrupted
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods.
### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
To do this task of invoking the Startup Repair tool, follow these steps.
To do this task of invoking the Startup Repair tool, follow these steps.
> [!NOTE]
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
@ -117,28 +104,26 @@ To do this task of invoking the Startup Repair tool, follow these steps.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
**%windir%\System32\LogFiles\Srt\Srttrail.txt**
For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
`%windir%\System32\LogFiles\Srt\Srttrail.txt`
For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```console
```command
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```console
```command
BOOTREC /FIXBOOT
```
> [!NOTE]
> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem.
### Method 3: Fix BCD errors
@ -146,15 +131,15 @@ If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this step, run the following command:
```console
```command
Bootrec /ScanOS
```
2. Restart the computer to check whether the problem is fixed.
3. If the problem isn't fixed, run the following commands:
```console
```command
bcdedit /export c:\bcdbackup
attrib c:\boot\bcd -r -s -h
@ -172,128 +157,116 @@ If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
2. Run the `attrib` command to unhide the file:
```console
```command
attrib -r -s -h
```
3. Navigate to the system drive and run the same command:
```console
```command
attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
4. Rename the `bootmgr` file as `bootmgr.old`:
```console
```command
ren c:\bootmgr bootmgr.old
```
5. Navigate to the system drive.
6. Copy the Bootmgr file, and then paste it to the System Reserved partition.
6. Copy the `bootmgr` file, and then paste it to the System Reserved partition.
7. Restart the computer.
### Method 5: Restore System Hive
### Method 5: Restore system hive
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
## Kernel Phase
If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples:
- A Stop error appears after the splash screen (Windows Logo screen).
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
- A black screen appears after the splash screen.
- A black screen appears after the splash screen.
To troubleshoot these problems, try the following recovery boot options one at a time.
**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
1. Use one of the following methods to open Event Viewer:
1. Use one of the following methods to open Event Viewer:
- Click **Start**, point to **Administrative Tools**, and then click
**Event Viewer**.
- Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**.
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
2. In the console tree, expand Event Viewer, and then click the log that you
want to view. For example, click **System log** or **Application log**.
2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**.
3. In the details pane, double-click the event that you want to view.
3. In the details pane, open the event that you want to view.
4. On the **Edit** menu, click **Copy**, open a new document in the program in
which you want to paste the event (for example, Microsoft Word), and then
click **Paste**.
5. Use the Up Arrow or Down Arrow key to view the description of the previous
or next event.
4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**.
5. Use the up arrow or down arrow key to view the description of the previous or next event.
### Clean boot
To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
**Examples**
#### Examples
> [!WARNING]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk.
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
To troubleshoot this Stop error, follow these steps to filter the drivers:
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
2. Open the registry.
2. Open the registry.
3. Load the system hive, and name it as "test."
3. Load the system hive, and name it **test**.
4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers:
6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class`
7. Restart the server in Normal mode.
5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data.
For more troubleshooting steps, see the following articles:
6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
7. Restart the server in Normal mode.
For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@ -301,16 +274,15 @@ To fix problems that occur after you install Windows updates, check for pending
2. Run the command:
```console
```command
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```console
```command
DISM /image:C:\ /remove-package /packagename: name of the package
```
```console
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
@ -318,72 +290,67 @@ To fix problems that occur after you install Windows updates, check for pending
If the computer doesn't start, follow these steps:
1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
1. Open a command prompt window in WinRE, and start a text editor, such as Notepad.
2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`.
3. If the Pending.xml file is found, rename the file as Pending.xml.old.
3. If the pending.xml file is found, rename the file as `pending.xml.old`.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test.
5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value.
6. If the **pendingxmlidentifier** value exists, delete the value.
6. If the `pendingxmlidentifier` value exists, delete it.
7. Unload the test hive.
7. Unload the test hive.
8. Load the system hive, name it as "test".
8. Load the system hive, name it **test**.
9. Navigate to the following subkey:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
10. Change the **Start** value from **1** to **4**
9. Navigate to the following subkey:
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller`
10. Change the **Start** value from `1` to `4`.
11. Unload the hive.
12. Try to start the computer.
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md).
- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md).
For more information about page file problems in Windows 10 or Windows Server 2016, see the following article:
- [Introduction to page files](./introduction-page-file.md)
For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md).
For more information about Stop errors, see the following Knowledge Base article:
- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines:
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
- To do this action, open WinRE, open a command prompt, and then run the following command:
```console
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
```command
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues).
- If there's disk corruption, run the check disk command:
- If there's disk corruption, run the check disk command:
```console
chkdsk /f /r
```
```command
chkdsk /f /r
```
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
1. Start WinRE, and open a Command Prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
1. Start WinRE, and open a command prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to `C:\Windows\System32\Config\`.
4. Rename the all five hives by appending `.old` to the name.
5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

17
windows/client-management/img-boot-sequence.md
View File

@ -1,17 +0,0 @@
---
title: Boot sequence flowchart
description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
ms.author: dansimp
author: dansimp
ms.topic: article
ms.prod: w10
---
# Boot sequence flowchart
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
![Full-sized boot sequence flowchart.](images/boot-sequence.png)

124
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -1,140 +1,136 @@
---
title: Manage Windows 10 in your organization - transitioning to modern management
description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.date: 04/26/2018
ms.date: 06/03/2022
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
manager: dougeby
ms.topic: overview
---
# Manage Windows 10 in your organization - transitioning to modern management
Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, its easy for versions to coexist.
Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
>[!NOTE]
>The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
> [!NOTE]
> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
- [Deployment and Provisioning](#deployment-and-provisioning)
- [Deployment and Provisioning](#deployment-and-provisioning)
- [Identity and Authentication](#identity-and-authentication)
- [Identity and Authentication](#identity-and-authentication)
- [Configuration](#settings-and-configuration)
- [Configuration](#settings-and-configuration)
- [Updating and Servicing](#updating-and-servicing)
- [Updating and Servicing](#updating-and-servicing)
## Reviewing the management options with Windows 10
Windows 10 offers a range of management options, as shown in the following diagram:
<img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
## Deployment and provisioning
With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
## Identity and authentication
## Identity and Authentication
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain thats [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- Single sign-on to cloud and on-premises resources from everywhere
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview)
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
- Single sign-on to cloud and on-premises resources from everywhere
- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
- Windows Hello
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy.
- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- Windows Hello
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png)
:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
## Settings and Configuration
## Settings and configuration
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorers 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
## Updating and servicing
## Updating and Servicing
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple often automatic patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
## Next steps
There are various steps you can take to begin the process of modernizing device management in your organization:
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
**Take incremental steps.** Moving towards modern device management doesnt have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md).
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles:
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
- [Co-management for Windows devices](/mem/configmgr/comanage/overview)
- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10)
- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads)
- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor)
- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads)
- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard)
## Related articles
## Related topics
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md)

8
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

@ -1,13 +1,13 @@
---
title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: dougeby
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 10/19/2020
---
@ -174,7 +174,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|New or updated article | Description|
|--- | ---|
|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
## August 2018
@ -227,7 +226,6 @@ This article lists new and updated articles for the Mobile Device Management (MD
|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
|[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
|[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
|[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.|
|[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Bluetooth/AllowPromptedProximalConnections<li>KioskBrowser/EnableEndSessionButton<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|

2
windows/client-management/mdm/device-update-management.md
View File

@ -861,7 +861,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
|DeferFeatureUpdates|REG_DWORD|1: defer feature updates<br><br>Other value or absent: dont defer feature updates|
|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates|
|PauseFeatureUpdates|REG_DWORD|1: pause feature updates<br><br>Other value or absent: dont pause feature updates|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers<br><br>Other value or absent: offer WU drivers|
|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers<br><br>Other value or absent: offer Windows Update drivers|
Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices.

135
windows/client-management/mdm/dmclient-csp.md
View File

@ -51,6 +51,8 @@ DMClient
------------Unenroll
------------AADResourceID
------------AADDeviceID
------------AADSendDeviceToken
------------ForceAadToken
------------EnrollmentType
------------EnableOmaDmKeepAliveMessage
------------HWDevID
@ -73,6 +75,21 @@ DMClient
----------------NumberOfRemainingScheduledRetries
----------------PollOnLogin
----------------AllUsersPollOnFirstLogin
------------LinkedEnrollment
----------------Priority
----------------Enroll
----------------Unenroll
----------------EnrollStatus
----------------LastError
------------Recovery
----------------AllowRecovery
----------------RecoveryStatus
----------------InitiateRecovery
------------MultipleSession
----------------NumAllowedConcurrentUserSessionForBackgroundSync
----------------NumAllowedConcurrentUserSessionAtUserLogonSync
----------------IntervalForScheduledRetriesForUserSession
----------------NumberOfScheduledRetriesForUserSession
----Unenroll
----UpdateManagementServiceAddress
```
@ -326,6 +343,11 @@ Supported operations are Add, Delete, Get, and Replace.
Value type is bool.
<a href="" id="provider-providerid-forceaadtoken"></a>**Provider/*ProviderID*/ForceAadToken**
The value type is integer/enum.
The value is "1" and it means client should always send AAD device token during check-in/sync.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@ -444,6 +466,117 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-linkedenrollment-priority"></a>**Provider/*ProviderID*/LinkedEnrollment/Priority**
This node is an integer, value is "0" or "1".
Default is 1, meaning the MDM enrollment is the “winning” authority for conflicting policies/resources. Value 1 means MMP-C enrollment is the “winning” one.
Support operations are Get and Set.
<a href="" id="provider-providerid-linkedenrollment-enroll"></a>**Provider/*ProviderID*/LinkedEnrollment/Enroll**
This is an execution node and will trigger a silent MMP-C enrollment, using the AAD device token pulled from the AADJed device. There is no user interaction needed.
Support operation is Exec.
<a href="" id="provider-providerid-linkedenrollment-unenroll"></a>**Provider/*ProviderID*/LinkedEnrollment/Unenroll**
This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back(rollback details will be covered later).
Support operation is Exec.
<a href="" id="provider-providerid-linkedenrollment-enrollstatus"></a>**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus**
This node can be used to check both enroll and unenroll statuses.
This will return the enroll action status and is defined as a enum class LinkedEnrollmentStatus. The values are aas follows:
- Undefined = 0
- EnrollmentNotStarted = 1
- InProgress = 2
- Failed = 3
- Succeeded = 4
- UnEnrollmentQueued = 5
- UnEnrollmentSucceeded = 8
Support operation is Get only.
<a href="" id="provider-providerid-linkedenrollment-lasterror"></a>**Provider/*ProviderID*/LinkedEnrollment/LastError**
This specifies the Hresult to report the enrollment/unenroll results.
<a href="" id="provider-providerid-recovery-allowrecovery"></a>**Provider/*ProviderID*/Recovery/AllowRecovery**
This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate.
Supported operations are Get, Add, Replace and Delete.
The supported values for this node are 1-true (allow) and 0-false(not allow). Default value is 0.
<a href="" id="provider-providerid-recovery-recoverystatus"></a>**Provider/*ProviderID*/Recovery/RecoveryStatus**
This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows:
0 - No Recovery request has been processed.
1 - Recovery is in Process.
2 - Recovery has finished successfully.
3 - Recovery has failed to start because TPM is not available.
4 - Recovery has failed to start because AAD keys are not protected by the TPM.
5 - Recovery has failed to start because the MDM keys are already protected by the TPM.
6 - Recovery has failed to start because the TPM is not ready for attestation.
7 - Recovery has failed because the client cannot authenticate to the server.
8 - Recovery has failed because the server has rejected the client's request.
Supported operation is Get only.
<a href="" id="provider-providerid-recovery-initiaterecovery"></a>**Provider/*ProviderID*/Recovery/InitiateRecovery**
This node initiates an MDM Recovery operation on the client.
If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device.
If initiated with argument 1, it triggers only if the MDM certificates private key isnt already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation.
Supported operation is Exec only.
<a href="" id="provider-providerid-multiplesession-numallowedconcurrentusersessionforbackgroundsync"></a>**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync**
Optional. This node specifies maximum number of concurrent user sync sessions in background.
The default value is dynamically decided by the client based on CPU usage.
The values are : 0= none, 1= sequential, anything else= parallel.
Supported operations are Get, Add, Replace and Delete.
Value type is integer. Only applicable for Windows Enterprise multi-session.
<a href="" id="provider-providerid-multiplesession-numallowedconcurrentusersessionatuserlogonsync"></a>**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync**
Optional. This node specifies maximum number of concurrent user sync sessions at User Login.
The default value is dynamically decided by the client based on CPU usage.
The values are : 0= none, 1= sequential, anything else= parallel.
Supported operations are Get, Add, Replace and Delete.
Value type is integer. Only applicable for Windows Enterprise multi-session.
<a href="" id="provider-providerid-multiplesession-intervalforscheduledretriesforusersession"></a>**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession**
Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `/<ProviderID>/Poll/NumberOfScheduledRetriesForUserSession`.
If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled.
This configuration is only applicable for Windows Multi-session Editions.
Supported operations are Get and Replace.
<a href="" id="provider-providerid-multiplesession-numberofscheduledretriesforusersession"></a>**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession**
Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server.
If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times.
The default value is 0. This configuration is only applicable for Windows Multi-session Editions.
Supported operations are Get and Replace.
<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
@ -497,7 +630,7 @@ The status error mapping is listed below.
|--- |--- |
|0|Success|
|1|Failure: invalid PFN|
|2|Failure: invalid or expired device authentication with MSA|
|2|Failure: invalid or expired device authentication with Microsoft account|
|3|Failure: WNS client registration failed due to an invalid or revoked PFN|
|4|Failure: no Channel URI assigned|
|5|Failure: Channel URI has expired|

29
windows/client-management/mdm/eap-configuration.md
View File

@ -14,12 +14,10 @@ ms.date: 06/26/2017
# EAP configuration
This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.
## Create an EAP configuration XML for a VPN profile
To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
1. Run rasphone.exe.
@ -107,15 +105,13 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
```
> [!NOTE]
> You should check with mobile device management (MDM) vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- C:\\Windows\\schemas\\EAPHost
- C:\\Windows\\schemas\\EAPMethods
> You should check with Mobile Device Management (MDM) vendor, if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
> - C:\\Windows\\schemas\\EAPHost
> - C:\\Windows\\schemas\\EAPMethods
 
## EAP certificate filtering
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.
Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
@ -123,11 +119,11 @@ Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can
- The user might be prompted to select the certificate.
- The wrong certificate might be auto-selected and cause an authentication failure.
A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
A production ready deployment must have appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample, or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you'll find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
For information about EAP settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
@ -142,9 +138,9 @@ The following list describes the prerequisites for a certificate to be used with
- The certificate must have at least one of the following EKU properties:
- Client Authentication. As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose. This property is an EKU-defined one and is published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose. As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- Client Authentication: As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose: This property is an EKU-defined one and is published by Microsoft. It is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose: As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
@ -157,7 +153,6 @@ The following XML sample explains the properties for the EAP TLS XML, including
> For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.
 
```xml
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
@ -261,7 +256,6 @@ The following XML sample explains the properties for the EAP TLS XML, including
> The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.
 
Alternatively, you can use the following procedure to create an EAP configuration XML:
1. Follow steps 1 through 7 in the EAP configuration article.
@ -290,8 +284,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.
 
 
## Related topics
 
[Configuration service provider reference](configuration-service-provider-reference.md)

29
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -27,12 +27,12 @@ The table below shows the applicability of Windows:
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!Note]
> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
> [!NOTE]
> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
While Windows Information Protection has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md).
To learn more about WIP, see the following articles:
To learn more about Windows Information Protection, see the following articles:
- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
@ -63,8 +63,8 @@ The root node for the Windows Information Protection (WIP) configuration setting
<a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**
Set the WIP enforcement level.
> [!Note]
> Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
> [!NOTE]
> Setting this value isn't sufficient to enable Windows Information Protection on the device. Attempts to change this value will fail when the WIP cleanup is running.
The following list shows the supported values:
@ -76,14 +76,13 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
> [!Note]
> [!NOTE]
> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
@ -242,7 +241,7 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values:
@ -252,7 +251,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys.
- 1 (default) - Revoke keys.
@ -265,7 +264,7 @@ TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS t
Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
<a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**
Specifies whether to allow Azure RMS encryption for WIP.
Specifies whether to allow Azure RMS encryption for Windows Information Protection.
- 0 (default) Don't use RMS.
- 1 Use RMS.
@ -278,7 +277,7 @@ When this policy isn't specified, the existing auto-encryption behavior is appli
Supported operations are Add, Get, Replace and Delete. Value type is string.
<a href="" id="settings-edpshowicons"></a>**Settings/EDPShowIcons**
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
The following list shows the supported values:
- 0 (default) - No WIP overlays on icons or tiles.
@ -287,7 +286,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="status"></a>**Status**
A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
Suggested values:
@ -299,7 +298,7 @@ Bit 0 indicates whether WIP is on or off.
Bit 1 indicates whether AppLocker WIP policies are set.
Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
Bit 3 indicates whether the mandatory Windows Information Protection policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
Here's the list of mandatory WIP policies:

7
windows/client-management/mdm/firewall-csp.md
View File

@ -5,8 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 11/29/2021
author: dansimp
ms.reviewer:
manager: dansimp
---
@ -245,7 +244,7 @@ Default value is true.
Value type is bool. Supported operations are Add, Get and Replace.
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow.
- 0x00000000 - allow
- 0x00000001 - block
@ -441,4 +440,4 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

12
windows/client-management/mdm/implement-server-side-mobile-application-management.md
View File

@ -80,17 +80,17 @@ Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isnt provided
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [DevInfo CSP](devinfo-csp.md).
- [DMAcc CSP](dmacc-csp.md).
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies.
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs.
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
@ -116,13 +116,13 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM.
> [!NOTE]
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to Windows Information Protection. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the users access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the users access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
- Both MAM and MDM policies for the organization support WIP.
- Both MAM and MDM policies for the organization support Windows Information Protection.
- EDP CSP Enterprise ID is the same for both MAM and MDM.
- EDP CSP RevokeOnMDMHandoff is set to false.

64
windows/client-management/mdm/index.md
View File

@ -1,28 +1,28 @@
---
title: Mobile device management
description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b
ms.author: dansimp
ms.topic: article
ms.topic: overview
ms.prod: w10
ms.technology: windows
author: dansimp
author: aczechowski
ms.author: aaroncz
ms.collection: highpri
ms.date: 06/03/2022
---
# Mobile device management
Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
There are two parts to the Windows management component:
There are two parts to the Windows management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## MDM security baseline
@ -37,7 +37,7 @@ The MDM security baseline includes policies that cover the following areas:
- Legacy technology policies that offer alternative solutions with modern technology
- And much more
For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
For more information about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
@ -48,37 +48,27 @@ For more details about the MDM policies defined in the MDM security baseline and
For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
<span id="mmat" />
## Learn about migrating to MDM
When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy setting in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
## Learn about device enrollment
- [Mobile device enrollment](mobile-device-enrollment.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
- [Mobile device enrollment](mobile-device-enrollment.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## Learn about device management
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- [Enterprise app management](enterprise-app-management.md)
- [Mobile device management (MDM) for device updates](device-update-management.md)
- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
- [OMA DM protocol support](oma-dm-protocol-support.md)
- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- [Enterprise app management](enterprise-app-management.md)
- [Mobile device management (MDM) for device updates](device-update-management.md)
- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
- [OMA DM protocol support](oma-dm-protocol-support.md)
- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
## Learn about configuration service providers
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)

31
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 03/01/2022
ms.date: 06/06/2022
---
# Policies in Policy CSP supported by HoloLens 2
@ -50,11 +50,15 @@ ms.date: 03/01/2022
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>10</sup>
- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>11</sup>
- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) <sup>9</sup>
- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) <sup>9</sup>
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) <sup>9</sup>
- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) <sup>10</sup>
- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) <sup>9</sup>
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) <sup>9</sup>
- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) <sup>9</sup>
@ -102,13 +106,13 @@ ms.date: 03/01/2022
- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) <sup>9</sup>
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) <sup>10</sup>
- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) <sup>10</sup>
- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) <sup>11</sup>
- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) <sup>11</sup>
- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) <sup>10</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) <sup>10</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) <sup>10</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) <sup>10</sup>
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) <sup>11</sup>
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) <sup>11</sup>
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) <sup>11</sup>
- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) <sup>11</sup>
- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds)
@ -116,10 +120,10 @@ ms.date: 03/01/2022
- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates)
- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday)
- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) <sup>10</sup>
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>10</sup>
- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) <sup>11</sup>
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>11</sup>
- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess)
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>10</sup>
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>11</sup>
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) <sup>8</sup>
@ -133,8 +137,9 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2)
- 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1)
- 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
## Related topics

10
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -68,12 +68,12 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Specifies whether user is allowed to add non-MSA email accounts.
Specifies whether user is allowed to add email accounts other than Microsoft account.
Most restricted value is 0.
> [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts.
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts.
<!--/Description-->
<!--SupportedValues-->
@ -114,7 +114,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services.
Most restricted value is 0.
@ -160,10 +160,10 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> [!NOTE]
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
<!--/Description-->
<!--SupportedValues-->

8
windows/client-management/mdm/policy-csp-admx-cpls.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Cpls
description: Policy CSP - ADMX_Cpls
description: Learn about the Policy CSP - ADMX_Cpls.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -65,7 +65,7 @@ manager: dansimp
This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.
> [!NOTE]
> The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed.
> The default account picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg.` The default guest picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg.` If the default pictures do not exist, an empty frame is displayed.
If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed.
@ -85,6 +85,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

10
windows/client-management/mdm/policy-csp-admx-credentialproviders.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_CredentialProviders
description: Policy CSP - ADMX_CredentialProviders
description: Learn about the Policy CSP - ADMX_CredentialProviders.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -124,7 +124,7 @@ This policy setting allows the administrator to assign a specified credential pr
If you enable this policy setting, the specified credential provider is selected on other user tile.
If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile.
If you disable or don't configure this policy setting, the system picks the default credential provider on other user tile.
> [!NOTE]
> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers.
@ -193,4 +193,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-credssp.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_CredSsp
description: Policy CSP - ADMX_CredSsp
description: Learn about the Policy CSP - ADMX_CredSsp.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -710,3 +710,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

7
windows/client-management/mdm/policy-csp-admx-credui.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_CredUI
description: Policy CSP - ADMX_CredUI
description: Learn about the Policy CSP - ADMX_CredUI.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -68,7 +68,7 @@ manager: dansimp
This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the users Windows credentials.
> [!NOTE]
> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.
> This policy affects non-logon authentication tasks only. As a security best practice, this policy should be enabled.
If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop through the trusted path mechanism.
@ -131,3 +131,6 @@ ADMX Info:
<
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_CtrlAltDel
description: Policy CSP - ADMX_CtrlAltDel
description: Learn about the Policy CSP - ADMX_CtrlAltDel.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -75,7 +75,7 @@ This policy setting prevents users from changing their Windows password on deman
If you enable this policy setting, the **Change Password** button on the Windows Security dialog box won't appear when you press Ctrl+Alt+Del.
However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
However, users will still be able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
<!--/Description-->
@ -219,11 +219,11 @@ ADMX Info:
<!--Description-->
This policy setting disables or removes all menu items and buttons that log the user off the system.
If you enable this policy setting, users won't see the Log off menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu.
If you enable this policy setting, users won't see the Logoff menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu.
Also, see the 'Remove Logoff on the Start Menu' policy setting.
If you disable or don't configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
If you disable or don't configure this policy setting, users can see and select the Logoff menu item when they press Ctrl+Alt+Del.
<!--/Description-->
@ -241,3 +241,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-datacollection.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DataCollection
description: Policy CSP - ADMX_DataCollection
description: Learn about the Policy CSP - ADMX_DataCollection.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -87,3 +87,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

24
windows/client-management/mdm/policy-csp-admx-dcom.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DCOM
description: Policy CSP - ADMX_DCOM
description: Learn about the Policy CSP - ADMX_DCOM.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -67,9 +67,10 @@ manager: dansimp
<!--Description-->
This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.
- If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list.
If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list.
If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list.
- If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list.
If you don't configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy isn't configured.
> [!NOTE]
@ -122,14 +123,20 @@ DCOM server application IDs added to this policy must be listed in curly brace f
For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`.
If you enter a non-existent or improperly formatted application, ID DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings.
If you add an application ID to this list and set its value to one, DCOM won't enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to 0, DCOM will always enforce the Activation security check for that DCOM server regardless of local
settings.
- If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.
settings.
If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings.
If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.
If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used.
>[!Note]
> The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries, then the object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid.
@ -156,3 +163,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

6
windows/client-management/mdm/policy-csp-admx-desktop.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Desktop
description: Policy CSP - ADMX_Desktop
description: Learn about Policy CSP - ADMX_Desktop.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -790,7 +790,6 @@ If you disable or don't configure this policy setting, the Properties menu comma
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Remove Properties from the Documents icon context menu*
@ -1530,3 +1529,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

10
windows/client-management/mdm/policy-csp-admx-devicecompat.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DeviceCompat
description: Policy CSP - ADMX_DeviceCompat
description: Learn about Policy CSP - ADMX_DeviceCompat.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -106,7 +106,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions.
Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions.
<!--/Description-->
@ -120,4 +120,8 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

14
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DeviceGuard
description: Policy CSP - ADMX_DeviceGuard
description: Learn about Policy CSP - ADMX_DeviceGuard.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -69,11 +69,12 @@ If you deploy a Code Integrity Policy, Windows will restrict what can run in bot
To enable this policy, the machine must be rebooted.
The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`),
or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`.
The local machine account (LOCAL SYSTEM) must have access permission to the policy file.
If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:
1. First update the policy to a non-protected policy and then disable the setting.
2. Disable the setting and then remove the policy from each computer, with a physically present user.
If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:
- First update the policy to a non-protected policy and then disable the setting. (or)
- Disable the setting and then remove the policy from each computer, with a physically present user.
<!--/Description-->
@ -90,3 +91,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DeviceInstallation
description: Policy CSP - ADMX_DeviceInstallation
description: Learn about Policy CSP - ADMX_DeviceInstallation.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -277,7 +277,8 @@ If you enable this policy setting, set the number of seconds you want the system
If you disable or don't configure this policy setting, the system doesn't force a reboot.
Note: If no reboot is forced, the device installation restriction right won't take effect until the system is restarted.
>[!Note]
> If no reboot is forced, the device installation restriction right won't take effect until the system is restarted.
<!--/Description-->
@ -434,4 +435,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

10
windows/client-management/mdm/policy-csp-admx-devicesetup.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DeviceSetup
description: Policy CSP - ADMX_DeviceSetup
description: Learn about Policy CSP - ADMX_DeviceSetup.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -116,7 +116,10 @@ This policy setting allows you to specify the order in which Windows searches so
If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all.
Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system.
>[!Note]
> Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates.
This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching is enabled and only when needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system.
If you disable or don't configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
@ -135,3 +138,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

10
windows/client-management/mdm/policy-csp-admx-dfs.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DFS
description: Policy CSP - ADMX_DFS
description: Learn about Policy CSP - ADMX_DFS.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -64,10 +64,9 @@ manager: dansimp
This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network.
By default, a DFS client attempts to discover domain controllers every 15 minutes.
- If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers.
This value is specified in minutes.
If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes.
- If you disable or do not configure this policy setting, the default value of 15 minutes applies.
If you disable or don't configure this policy setting, the default value of 15 minutes applies.
> [!NOTE]
> The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied.
@ -88,3 +87,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

6
windows/client-management/mdm/policy-csp-admx-digitallocker.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DigitalLocker
description: Policy CSP - ADMX_DigitalLocker
description: Learn about Policy CSP - ADMX_DigitalLocker.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -75,7 +75,6 @@ If you disable or don't configure this setting, Digital Locker can be run.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow Digital Locker to run*
@ -139,3 +138,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

27
windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DiskDiagnostic
description: Policy CSP - ADMX_DiskDiagnostic
description: Learn about Policy CSP - ADMX_DiskDiagnostic.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -67,12 +67,13 @@ manager: dansimp
<!--Description-->
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately.
This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
> [!NOTE]
@ -123,12 +124,15 @@ This policy setting determines the execution level for S.M.A.R.T.-based disk dia
Self-Monitoring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
- If you do not configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately.
This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
> [!NOTE]
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
@ -149,3 +153,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

13
windows/client-management/mdm/policy-csp-admx-disknvcache.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DiskNVCache
description: Policy CSP - ADMX_DiskNVCache
description: Learn about Policy CSP - ADMX_DiskNVCache.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -72,7 +72,6 @@ This policy setting turns off the boot and resumes optimizations for the hybrid
If you enable this policy setting, the system doesn't use the non-volatile (NV) cache to optimize boot and resume.
If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume.
The system determines the data that will be stored in the NV cache to optimize boot and resume.
The required data is stored in the NV cache during shutdown and hibernate, respectively. This storage in such a location might cause a slight increase in the time taken for shutdown and hibernate. If you don't configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
@ -127,8 +126,6 @@ If you disable this policy setting, the system will manage the NV cache on the d
This policy setting will take effect on next boot. If you don't configure this policy setting, the default behavior is to turn on support for the NV cache.
<!--/Description-->
<!--ADMXBacked-->
@ -175,7 +172,10 @@ If you enable this policy setting, frequently written files such as the file sys
If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This storage allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
This usage can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
This can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache.
>[!Note]
> This policy setting is applicable only if the NV cache feature is on.
<!--/Description-->
@ -195,3 +195,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-diskquota.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DiskQuota
description: Policy CSP - ADMX_DiskQuota
description: Learn about Policy CSP - ADMX_DiskQuota.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -360,3 +360,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DistributedLinkTracking
description: Policy CSP - ADMX_DistributedLinkTracking
description: Learn about Policy CSP - ADMX_DistributedLinkTracking.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -62,8 +62,10 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.
This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.
The DLT client can more reliably track links when allowed to use the DLT server.
This policy shouldn't be set unless the DLT server is running on all domain controllers in the domain.
@ -86,3 +88,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

16
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DnsClient
description: Policy CSP - ADMX_DnsClient
description: Learn about Policy CSP - ADMX_DnsClient.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -590,7 +590,8 @@ If you enable this policy setting, a computer will register A and PTR resource r
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
>[!Important]
> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
<!--/Description-->
@ -642,7 +643,7 @@ If you enable this policy setting, registration of PTR records will be determine
To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
- don't register: Computers won't attempt to register PTR resource records
- Do not register: Computers won't attempt to register PTR resource records
- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
@ -739,11 +740,11 @@ This policy setting specifies whether dynamic updates should overwrite existing
This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing (A) resource record with an (A) resource record that has the client's current IP address.
If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting (A) resource records during dynamic update.
If you disable this policy setting, existing A resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer.
If you disable this policy setting, existing (A) resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer.
<!--/Description-->
@ -1229,3 +1230,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-dwm.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_DWM
description: Policy CSP - ADMX_DWM
description: Learn about Policy CSP - ADMX_DWM.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -349,3 +349,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-eaime.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_EAIME
description: Policy CSP - ADMX_EAIME
description: Learn about the Policy CSP - ADMX_EAIME.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -698,3 +698,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_EncryptFilesonMove
description: Policy CSP - ADMX_EncryptFilesonMove
description: Learn about the Policy CSP - ADMX_EncryptFilesonMove.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -64,9 +64,9 @@ manager: dansimp
<!--Description-->
This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.
If you enable this policy setting, File Explorer won't automatically encrypt files that are moved to an encrypted folder.
If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder.
If you disable or don't configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder.
This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically.
@ -87,3 +87,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

12
windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_EnhancedStorage
description: Policy CSP - ADMX_EnhancedStorage
description: Learn about the Policy CSP - ADMX_EnhancedStorage.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -77,7 +77,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer.
This policy setting allows you to configure a list of Enhanced Storage devices that contain a manufacturer and product ID that are usable on your computer.
If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer.
@ -123,7 +123,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.
This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that is usable on your computer.
If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.
@ -263,7 +263,8 @@ ADMX Info:
<!--Description-->
This policy setting locks Enhanced Storage devices when the computer is locked.
This policy setting is supported in Windows Server SKUs only.
>[!Note]
>This policy setting is supported in Windows Server SKUs only.
If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked.
@ -330,3 +331,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

45
windows/client-management/mdm/policy-csp-admx-errorreporting.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_ErrorReporting
description: Policy CSP - ADMX_ErrorReporting
description: Learn about the Policy CSP - ADMX_ErrorReporting.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -252,11 +252,14 @@ To create a list of applications for which Windows Error Reporting never reports
If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors.
If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.)
If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting.
>[!Note]
>The Microsoft applications category includes the Windows components category.
If you disable this policy setting or don't configure it, the Default application reporting settings policy setting takes precedence.
Also see the "Default Application Reporting" and "Application Exclusion List" policies.
Also, see the "Default Application Reporting" and "Application Exclusion List" policies.
This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured.
@ -311,22 +314,17 @@ This policy setting doesn't enable or disable Windows Error Reporting. To turn W
If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that aren't configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting:
- "Do not display links to any Microsoft More information websites": Select this option if you don't want error dialog boxes to display links to Microsoft websites.
- "Do not collect additional files": Select this option if you don't want extra files to be collected and included in error reports.
- "Do not collect additional computer data": Select this option if you don't want additional information about the computer to be collected and included in error reports.
- "Force queue mode for application errors": Select this option if you don't want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to sign in to the computer can send the error reports to Microsoft.
- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to sign in to the computer can send the error reports to Microsoft.
- "Replace instances of the word Microsoft with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text.
If you don't configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003.
If you disable this policy setting, configuration settings in the policy setting are left blank.
See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
See related policy settings Display Error Notification (same folder as this policy setting), and turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
<!--/Description-->
@ -927,13 +925,9 @@ This policy setting determines the consent behavior of Windows Error Reporting f
If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those types meant for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send more data requested by Microsoft.
- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send more data requested by Microsoft.
- 4 (Send all data): Any data requested by Microsoft is sent automatically.
If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting.
@ -1074,13 +1068,10 @@ This policy setting determines the default consent behavior of Windows Error Rep
If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting:
- Always ask before sending data: Windows prompts users for consent to send reports.
- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft.
- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft.
- Send all data: any error reporting data requested by Microsoft is sent automatically.
- **Always ask before sending data**: Windows prompts users for consent to send reports.
- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft.
- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft.
- **Send all data**: any error reporting data requested by Microsoft is sent automatically.
If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
@ -1128,13 +1119,10 @@ This policy setting determines the default consent behavior of Windows Error Rep
If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting:
- Always ask before sending data: Windows prompts users for consent to send reports.
- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft.
- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft.
- Send all data: any error reporting data requested by Microsoft is sent automatically.
- **Always ask before sending data**: Windows prompts users for consent to send reports.
- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft.
- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft.
- **Send all data**: any error reporting data requested by Microsoft is sent automatically.
If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
@ -1526,3 +1514,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-eventforwarding.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_EventForwarding
description: Policy CSP - ADMX_EventForwarding
description: Learn about the Policy CSP - ADMX_EventForwarding.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -124,11 +124,11 @@ If you enable this policy setting, you can configure the Source Computer to cont
Use the following syntax when using the HTTPS protocol:
``` syntax
Server=https://<FQDN of the collector>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>,IssuerCA=<Thumb print of the client authentication certificate>.
```
When using the HTTP protocol, use port 5985.
>[!Note]
> When using the HTTP protocol, use port 5985.
If you disable or don't configure this policy setting, the Event Collector computer won't be specified.
@ -148,3 +148,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

19
windows/client-management/mdm/policy-csp-admx-eventlog.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_EventLog
description: Policy CSP - ADMX_EventLog
description: Learn about the Policy CSP - ADMX_EventLog.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -126,7 +126,10 @@ This policy setting turns on logging.
If you enable or don't configure this policy setting, then events can be written to this log.
If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
If the policy setting is disabled, then no new events can be logged.
>[!Note]
> Events can always be read from the log, regardless of this policy setting.
<!--/Description-->
@ -984,7 +987,8 @@ If you enable this policy setting and a log file reaches its maximum size, new e
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
>[!Note]
> Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
<!--/Description-->
@ -1032,7 +1036,8 @@ If you enable this policy setting and a log file reaches its maximum size, new e
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
>[!Note]
> Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
<!--/Description-->
@ -1081,7 +1086,8 @@ If you enable this policy setting and a log file reaches its maximum size, new e
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
>[!Note]
> Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
<!--/Description-->
@ -1098,3 +1104,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-admx-eventlogging.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_EventLogging
description: Policy CSP - ADMX_EventLogging
description: Learn about the Policy CSP - ADMX_EventLogging.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -64,11 +64,11 @@ manager: dansimp
<!--Description-->
This policy setting lets you configure Protected Event Logging.
- If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide.
If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide.
You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, if you have access to the private key corresponding to the public key that they were encrypted with.
You can use the `Unprotect-CmsMessage` PowerShell cmdlet to decrypt these encrypted messages, if you have access to the private key corresponding to the public key that they were encrypted with.
- If you disable or don't configure this policy setting, components won't encrypt event log messages before writing them to the event log.
If you disable or don't configure this policy setting, components won't encrypt event log messages before writing them to the event log.
<!--/Description-->
@ -86,3 +86,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-eventviewer.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_EventViewer
description: Policy CSP - ADMX_EventViewer
description: Learn about the Policy CSP - ADMX_EventViewer.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -153,9 +153,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This URL is the one that will be passed to the Description area in the Event Properties dialog box.
Change this value if you want to use a different Web server to handle event information requests.
This URL is the one that will be passed to the Description area in the Event Properties dialog box.
Change this value if you want to use a different Web server to handle event information requests.
<!--/Description-->
@ -173,3 +173,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

22
windows/client-management/mdm/policy-csp-admx-explorer.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Explorer
description: Policy CSP - ADMX_Explorer
description: Learn about the Policy CSP - ADMX_Explorer.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -74,7 +74,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.
This policy setting sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.
<!--/Description-->
@ -166,7 +166,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer won't reinitialize default program associations and other settings to default values.
This policy setting allows administrators who have configured roaming profile with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer won't reinitialize default program associations and other settings to default values.
If you enable this policy setting on a machine that doesn't contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur.
@ -210,14 +210,14 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer.
This policy setting allows administrators to prevent users from adding new items, such as files or folders to the root of their Users Files folder in File Explorer.
If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer.
If you enable this policy setting, users will no longer be able to add new items, such as files or folders to the root of their Users Files folder in File Explorer.
If you disable or don't configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer.
> [!NOTE]
> Enabling this policy setting doesn't prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.
> Enabling this policy setting doesn't prevent the user from being able to add new items, such as files and folders to their actual file system profile folder at %userprofile%.
<!--/Description-->
@ -259,7 +259,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities, and also improve performance and battery life in some scenarios.
This policy is similar to settings directly available to computer users.
Disabling animations can improve usability for users with some visual disabilities, and also improve performance and battery life in some scenarios.
<!--/Description-->
@ -274,4 +276,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

13
windows/client-management/mdm/policy-csp-admx-externalboot.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_ExternalBoot
description: Policy CSP - ADMX_ExternalBoot
description: Learn about the Policy CSP - ADMX_ExternalBoot.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -72,9 +72,9 @@ manager: dansimp
<!--Description-->
This policy specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace.
- If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC.
If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC.
- If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, and can't hibernate the PC.
If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, and can't hibernate the PC.
<!--/Description-->
@ -168,9 +168,9 @@ ADMX Info:
<!--Description-->
This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item.
- If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users won't be able to make changes using the Windows To Go Startup Options Control Panel item.
If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users won't be able to make changes using the Windows To Go Startup Options Control Panel item.
- If you disable this setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the BIOS or other boot order configuration.
If you disable this setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the BIOS or other boot order configuration.
If you don't configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item.
@ -188,3 +188,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-filerecovery.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_FileRecovery
description: Policy CSP - ADMX_FileRecovery
description: Learn about the Policy CSP - ADMX_FileRecovery.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -75,3 +75,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-filerevocation.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_FileRevocation
description: Policy CSP - ADMX_FileRevocation
description: Learn about the Policy CSP - ADMX_FileRevocation.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -61,9 +61,9 @@ manager: dansimp
Windows Runtime applications can protect content that has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format.
Example value: `Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy`
- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.
If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.
- If you disable or don't configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app.
If you disable or don't configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app.
Any other Windows Runtime application will only be able to revoke access to content it protected.
@ -86,3 +86,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_FileServerVSSProvider
description: Policy CSP - ADMX_FileServerVSSProvider
description: Learn about the Policy CSP - ADMX_FileServerVSSProvider.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -87,3 +87,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

21
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_FileSys
description: Policy CSP - ADMX_FileSys
description: Learn about the Policy CSP - ADMX_FileSys.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -100,7 +100,6 @@ ADMX Info:
<!--Policy-->
<a href="" id="admx-filesys-disabledeletenotification"></a>**ADMX_FileSys/DisableDeleteNotification**
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
@ -167,8 +166,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
Encryption can add to the processing overhead of filesystem operations.
Enabling this setting will prevent access to and creation of encrypted files.
<!--ADMXBacked-->
ADMX Info:
@ -206,7 +206,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations.
Enabling this setting will cause the page files to be encrypted.
<!--/Description-->
@ -246,7 +248,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it.
Enabling this setting will cause the long paths to be accessible within the process.
<!--/Description-->
@ -288,7 +292,9 @@ ADMX Info:
<!--Description-->
This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
If you enable short names on all volumes, then short names will always be generated. If you disable them on all volumes, then they'll never be generated. If you set short name creation to be configurable on a per volume basis, then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes, then short names will only be generated for files created on the system volume.
If you enable short names on all volumes, then short names will always be generated. If you disable them on all volumes, then they'll never be generated. If you set short name creation to be configurable on a per volume basis, then an on-disk flag will determine whether or not short names are created on a given volume.
If you disable short name creation on all data volumes, then short names will only be generated for files created on the system volume.
<!--/Description-->
@ -398,3 +404,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-folderredirection.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_FolderRedirection
description: Policy CSP - ADMX_FolderRedirection
description: Learn about the Policy CSP - ADMX_FolderRedirection.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -402,3 +402,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

15
windows/client-management/mdm/policy-csp-admx-framepanes.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_FramePanes
description: Policy CSP - ADMX_FramePanes
description: Learn about the Policy CSP - ADMX_FramePanes.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -64,14 +64,14 @@ manager: dansimp
<!--Description-->
This policy setting shows or hides the Details Pane in File Explorer.
- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and can't be turned on by the user.
If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and can't be turned on by the user.
- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and can't be hidden by the user.
If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and can't be hidden by the user.
> [!NOTE]
> This has a side effect of not being able to toggle to the Preview Pane since the two can't be displayed at the same time.
- If you disable, or don't configure this policy setting, the Details Pane is hidden by default and can be displayed by the user.
If you disable, or don't configure this policy setting, the Details Pane is hidden by default and can be displayed by the user.
This setting is the default policy setting.
@ -116,9 +116,9 @@ ADMX Info:
<!--Description-->
Hides the Preview Pane in File Explorer.
- If you enable this policy setting, the Preview Pane in File Explorer is hidden and can't be turned on by the user.
If you enable this policy setting, the Preview Pane in File Explorer is hidden and can't be turned on by the user.
- If you disable, or don't configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
If you disable, or don't configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
<!--/Description-->
@ -134,3 +134,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

17
windows/client-management/mdm/policy-csp-admx-fthsvc.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_FTHSVC
description: Policy CSP - ADMX_FTHSVC
description: Learn about the Policy CSP - ADMX_FTHSVC.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -63,12 +63,14 @@ manager: dansimp
<!--Description-->
This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems.
- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems.
If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems.
- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS.
If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
If you disable this policy setting, Windows can't detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS.
If you don't configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
No system restart or service restart is required for this policy setting to take effect: changes take effect immediately.
@ -88,3 +90,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

32
windows/client-management/mdm/policy-csp-admx-globalization.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Globalization
description: Policy CSP - ADMX_Globalization
description: Learn about the Policy CSP - ADMX_Globalization.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -135,9 +135,9 @@ This policy prevents automatic copying of user input methods to the system accou
This confinement doesn't affect the availability of user input methods on the lock screen or with the UAC prompt.
If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page.
If the policy is enabled, then the user will get input methods enabled for the system account on the sign-in page.
If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page.
If the policy is disabled or not configured, then the user will be able to use input methods enabled for their user account on the sign-in page.
<!--/Description-->
@ -498,7 +498,7 @@ Automatic learning enables the collection and storage of text and ink written by
> [!NOTE]
> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help.
If you enable this policy setting, automatic learning stops and any stored data is deleted. Users can't configure this setting in Control Panel.
If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel.
If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
@ -558,7 +558,7 @@ Automatic learning enables the collection and storage of text and ink written by
> [!NOTE]
> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help.
If you enable this policy setting, automatic learning stops and any stored data is deleted. Users can't configure this setting in Control Panel.
If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel.
If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
@ -1119,9 +1119,9 @@ This policy turns off the autocorrect misspelled words option. This turn off doe
The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected.
If the policy is Enabled, then the option will be locked to not autocorrect misspelled words.
If the policy is enabled, then the option will be locked to not autocorrect misspelled words.
If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
If the policy is disabled or not configured, then the user will be free to change the setting according to their preference.
The availability and function of this setting is dependent on supported languages being enabled.
<!--/Description-->
@ -1168,9 +1168,9 @@ This policy turns off the highlight misspelled words option. This turn off doesn
The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted.
If the policy is Enabled, then the option will be locked to not highlight misspelled words.
If the policy is enabled, then the option will be locked to not highlight misspelled words.
If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
If the policy is disabled or not configured, then the user will be free to change the setting according to their preference.
The availability and function of this setting is dependent on supported languages being enabled.
@ -1218,9 +1218,9 @@ This policy turns off the insert a space after selecting a text prediction optio
The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard.
If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction.
If the policy is enabled, then the option will be locked to not insert a space after selecting a text prediction.
If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
If the policy is disabled or not configured, then the user will be free to change the setting according to their preference.
The availability and function of this setting is dependent on supported languages being enabled.
<!--/Description-->
@ -1267,9 +1267,9 @@ This policy turns off the offer text predictions as I type option. This turn off
The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard.
If the policy is Enabled, then the option will be locked to not offer text predictions.
If the policy is enabled, then the option will be locked to not offer text predictions.
If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
If the policy is disabled or not configured, then the user will be free to change the setting according to their preference.
The availability and function of this setting is dependent on supported languages being enabled.
@ -1336,4 +1336,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

40
windows/client-management/mdm/policy-csp-admx-grouppolicy.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_GroupPolicy
description: Policy CSP - ADMX_GroupPolicy
description: Learn about the Policy CSP - ADMX_GroupPolicy.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -1735,7 +1735,7 @@ In addition to background updates, Group Policy for the computer is always updat
By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations.
If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy.
@ -1793,7 +1793,7 @@ This policy setting specifies how often Group Policy is updated on domain contro
By default, Group Policy on the domain controllers is updated every five minutes.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations.
If you disable or don't configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting.
@ -1849,7 +1849,7 @@ In addition to background updates, Group Policy for users is always updated when
By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations.
If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting.
@ -2061,7 +2061,6 @@ By default, when you edit a Group Policy Object (GPO) using the Group Policy Obj
This edit-option leads to the following behavior:
- If you originally created the GPO with, for example, an English system, the GPO contains English ADM files.
- If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO.
You can change this behavior by using this setting.
@ -2070,7 +2069,7 @@ If you enable this setting, the Group Policy Object Editor snap-in always uses l
This pattern leads to the following behavior:
- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates.
If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates.
If you disable or don't configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO.
@ -2121,21 +2120,15 @@ ADMX Info:
<!--Description-->
This security feature provides a means to override individual process MitigationOptions settings. This security feature can be used to enforce many security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are:
PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)
Enables data execution prevention (DEP) for the child process
PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001): Enables data execution prevention (DEP) for the child process
PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)
Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer.
PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002): Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer.
PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)
Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique.
PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004): Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique.
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)
The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that aren't dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that don't have a base relocation section won't be loaded.
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100): The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that aren't dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that don't have a base relocation section won't be loaded.
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)
The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address.
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000),PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000): The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address.
For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of:
???????????????0???????1???????1
@ -2434,13 +2427,12 @@ ADMX Info:
<!--Description-->
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who signs in to a computer affected by this setting. It's intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user signs in to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then when a user signs in to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
If you enable this setting, you can select one of the following modes from the Mode box:
"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user.
"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.
- "Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user.
- "Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.
If you disable this setting or don't configure it, the user's Group Policy Objects determines which user settings apply.
@ -2462,4 +2454,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-help.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Help
description: Policy CSP - ADMX_Help
description: Learn about the Policy CSP - ADMX_Help.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -22,7 +22,7 @@ manager: dansimp
<hr/>
<!--Policies--
<!--Policies-->
## ADMX_Help policies
<dl>
@ -83,7 +83,7 @@ If you disable or don't configure this policy setting, DEP is turned on for HTML
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off Data Execution Prevention for HTML Help Executible*
- GP Friendly name: *Turn off Data Execution Prevention for HTML Help Executable*
- GP name: *DisableHHDEP*
- GP path: *System*
- GP ADMX file name: *Help.admx*
@ -260,3 +260,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

19
windows/client-management/mdm/policy-csp-admx-helpandsupport.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_HelpAndSupport
description: Policy CSP - ADMX_HelpAndSupport
description: Learn about the Policy CSP - ADMX_HelpAndSupport.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -72,9 +72,9 @@ manager: dansimp
<!--Description-->
This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.
If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements.
If you enable this policy setting, active content links aren't rendered. The text is displayed, but there are no clickable links for these elements.
If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements).
If you disable or don't configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements).
<!--/Description-->
@ -119,9 +119,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether users can provide ratings for Help content.
If you enable this policy setting, ratings controls are not added to Help content.
If you enable this policy setting, ratings controls aren't added to Help content.
If you disable or do not configure this policy setting, ratings controls are added to Help topics.
If you disable or don't configure this policy setting, ratings controls are added to Help topics.
Users can use the control to provide feedback on the quality and usefulness of the Help and Support content.
@ -167,9 +167,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it.
If you enable this policy setting, users cannot participate in the Help Experience Improvement program.
If you enable this policy setting, users can't participate in the Help Experience Improvement program.
If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page.
If you disable or don't configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page.
<!--/Description-->
@ -216,7 +216,7 @@ This policy setting specifies whether users can search and view content from Win
If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online.
If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page.
If you disable or don't configure this policy setting, users can access online assistance if they have a connection to the Internet and haven't disabled Windows Online from the Help and Support Options page.
<!--/Description-->
@ -236,3 +236,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-hotspotauth.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_HotSpotAuth
description: Policy CSP - ADMX_HotSpotAuth
description: Learn about the Policy CSP - ADMX_HotSpotAuth.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -67,9 +67,9 @@ This policy setting defines whether WLAN hotspots are probed for Wireless Intern
- If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators.
- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support.
- If you enable this policy setting, or if you don't configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support.
- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser.
- If you disable this policy setting, WLAN hotspots aren't probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser.
<!--/Description-->
@ -88,3 +88,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-icm.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_ICM
description: Policy CSP - ADMX_ICM
description: Learn about the Policy CSP - ADMX_ICM.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -1410,3 +1410,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-admx-iis.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_IIS
description: Policy CSP - ADMX_IIS
description: Learn about the Policy CSP - ADMX_IIS.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -63,11 +63,11 @@ manager: dansimp
<!--Description-->
This policy setting prevents installation of Internet Information Services (IIS) on this computer.
- If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you'll not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting.
If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you'll not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting.
Enabling this setting won't have any effect on IIS if IIS is already installed on the computer.
Enabling this setting won't have any effect on IIS, if IIS is already installed on the computer.
- If you disable or don't configure this policy setting, IIS can be installed, and all the programs and applications that require IIS to run."
If you disable or don't configure this policy setting, IIS can be installed, and all the programs and applications that require IIS to run."
<!--/Description-->
@ -87,3 +87,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-iscsi.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_iSCSI
description: Policy CSP - ADMX_iSCSI
description: Learn about the Policy CSP - ADMX_iSCSI.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -178,3 +178,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

8
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_kdc
description: Policy CSP - ADMX_kdc
description: Learn about the Policy CSP - ADMX_kdc.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_kdc
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -107,7 +108,7 @@ Impact on domain controller performance when this policy setting is enabled:
- Secure Kerberos domain capability discovery is required, resulting in more message exchanges.
- Claims and compound authentication for Dynamic Access Control increase the size and complexity of the data in the message, which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which results in increased processing time, but doesn't change the service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which result in increased processing time, but doesn't change the service ticket size.
<!--/Description-->
@ -378,3 +379,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

6
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Kerberos
description: Policy CSP - ADMX_Kerberos
description: Learn about the Policy CSP - ADMX_Kerberos.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Kerberos
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -457,3 +458,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

10
windows/client-management/mdm/policy-csp-admx-lanmanserver.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_LanmanServer
description: Policy CSP - ADMX_LanmanServer
description: Learn about the Policy CSP - ADMX_LanmanServer.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_LanmanServer
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -202,9 +203,7 @@ This policy setting specifies whether the BranchCache hash generation service su
If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it's the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured. With this selection, BranchCache settings aren't applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported.
- Enabled. With this selection, the policy setting is applied and the hash version(s) that are specified in "Hash version supported" are generated and retrieved.
@ -286,3 +285,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_LanmanWorkstation
description: Policy CSP - ADMX_LanmanWorkstation
description: Learn about the Policy CSP - ADMX_LanmanWorkstation.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_LanmanWorkstation
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -210,4 +211,8 @@ ADMX Info:
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_LeakDiagnostic
description: Policy CSP - ADMX_LeakDiagnostic
description: Learn about the Policy CSP - ADMX_LeakDiagnostic.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -63,13 +63,13 @@ manager: dansimp
<!--Description-->
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
@ -95,3 +95,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

6
windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_LinkLayerTopologyDiscovery
description: Policy CSP - ADMX_LinkLayerTopologyDiscovery
description: Learn about Policy CSP - ADMX_LinkLayerTopologyDiscovery.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_LinkLayerTopologyDiscovery
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -139,3 +140,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

28
windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_LocationProviderAdm
description: Policy CSP - ADMX_LocationProviderAdm
description: Learn about Policy CSP - ADMX_LocationProviderAdm.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,9 +13,16 @@ manager: dansimp
---
# Policy CSP - ADMX_LocationProviderAdm
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!WARNING]
> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
@ -59,17 +66,11 @@ manager: dansimp
<!--Description-->
This policy setting turns off the Windows Location Provider feature for this computer.
- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature.
- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer won't be able to use the Windows Location Provider feature.
- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature.
- If you disable or don't configure this policy setting, all programs on this computer can use the Windows Location Provider feature.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -83,7 +84,10 @@ ADMX Info:
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
> These policies are currently only available as a part of Windows Insider release.
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-admx-logon.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Logon
description: Policy CSP - ADMX_Logon
description: Learn about Policy CSP - ADMX_Logon.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Logon
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -103,7 +104,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy prevents the user from showing account details (email address or user name) on the sign-in screen.
This policy prevents the user from showing account details (email address or user name) on the sign-in screen.
If you enable this policy setting, the user can't choose to show account details on the sign-in screen.
@ -111,7 +112,6 @@ If you disable or don't configure this policy setting, the user may choose to sh
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Block user from showing account details on sign-in*
@ -723,7 +723,7 @@ ADMX Info:
<!--Description-->
This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user sign in). By default, on client computers, Group Policy processing isn't synchronous; client computers typically don't wait for the network to be fully initialized at startup and sign in. Existing users are signed in using cached credentials, which results in shorter sign-in times. Group Policy is applied in the background after the network becomes available.
Because this process (of applying Group Policy) is a background refresh, extensions such as Software Installation and Folder Redirection take two sign-ins to apply changes. To be able to operate safely, these extensions require that no users be signed in. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two sign-ins to be detected.
Because this process (of applying Group Policy) is a background refresh, extensions such as Software Installation and Folder Redirection take two sign-ins to apply changes. To be able to operate safely, these extensions require that no users be signed in. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script may take up to two sign-ins to be detected.
If a user with a roaming profile, home directory, or user object logon script signs in to a computer, computers always wait for the network to be initialized before signing in the user. If a user has never signed in to this computer before, computers always wait for the network to be initialized.
@ -862,3 +862,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

19
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MicrosoftDefenderAntivirus
description: Policy CSP - ADMX_MicrosoftDefenderAntivirus
description: Learn about Policy CSP - ADMX_MicrosoftDefenderAntivirus.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -437,14 +437,9 @@ ADMX Info:
<!--Description-->
Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.
Disabled (Default):
Microsoft Defender Antivirus will exclude pre-defined list of paths from the scan to improve performance.
If you disable or don't configure this policy setting, Microsoft Defender Antivirus will exclude pre-defined list of paths from the scan to improve performance. It is disabled by default.
Enabled:
Microsoft Defender Antivirus won't exclude pre-defined list of paths from scans. This non-exclusion can impact machine performance in some scenarios.
Not configured:
Same as Disabled.
If you enable this policy setting, Microsoft Defender Antivirus won't exclude pre-defined list of paths from scans. This non-exclusion can impact machine performance in some scenarios.
<!--/Description-->
@ -489,8 +484,8 @@ ADMX Info:
<!--Description-->
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check won't occur, which will lower the protection state of the device.
Enabled The Block at First Sight setting is turned on.
Disabled The Block at First Sight setting is turned off.
If you enable this feature, the Block at First Sight setting is turned on.
If you disable this feature, the Block at First Sight setting is turned off.
This feature requires these Policy settings to be set as follows:
@ -501,7 +496,6 @@ This feature requires these Policy settings to be set as follows:
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure the 'Block at First Sight' feature*
@ -4801,3 +4795,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MMC
description: Policy CSP - ADMX_MMC
description: Learn about Policy CSP - ADMX_MMC.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -328,3 +328,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

1039
windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
View File

File diff suppressed because it is too large Load Diff

15
windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MobilePCMobilityCenter
description: Policy CSP - ADMX_MobilePCMobilityCenter
description: Learn about Policy CSP - ADMX_MobilePCMobilityCenter.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -66,11 +66,11 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting turns off Windows Mobility Center.
- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it.
- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file doesn't launch it.
- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it.
If you do not configure this policy setting, Windows Mobility Center is on by default.
If you don't configure this policy setting, Windows Mobility Center is on by default.
<!--/Description-->
@ -113,12 +113,12 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting turns off Windows Mobility Center.
- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it.
This policy setting turns off Windows Mobility Center.
- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file doesn't launch it.
- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it.
If you do not configure this policy setting, Windows Mobility Center is on by default.
If you don't configure this policy setting, Windows Mobility Center is on by default.
<!--/Description-->
@ -135,3 +135,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

14
windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MobilePCPresentationSettings
description: Policy CSP - ADMX_MobilePCPresentationSettings
description: Learn about Policy CSP - ADMX_MobilePCPresentationSettings.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -68,9 +68,9 @@ manager: dansimp
<!--Description-->
This policy setting turns off Windows presentation settings.
- If you enable this policy setting, Windows presentation settings cannot be invoked.
If you enable this policy setting, Windows presentation settings can't be invoked.
- If you disable this policy setting, Windows presentation settings can be invoked.
If you disable this policy setting, Windows presentation settings can be invoked.
The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image.
@ -122,14 +122,15 @@ ADMX Info:
<!--Description-->
This policy setting turns off Windows presentation settings.
- If you enable this policy setting, Windows presentation settings cannot be invoked.
If you enable this policy setting, Windows presentation settings can't be invoked.
- If you disable this policy setting, Windows presentation settings can be invoked.
If you disable this policy setting, Windows presentation settings can be invoked.
The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image.
> [!NOTE]
> Users will be able to customize their system settings for presentations in Windows Mobility Center.
If you do not configure this policy setting, Windows presentation settings can be invoked.
<!--/Description-->
@ -147,3 +148,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-msapolicy.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MSAPolicy
description: Policy CSP - ADMX_MSAPolicy
description: Learn about Policy CSP - ADMX_MSAPolicy.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -61,7 +61,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This policy setting controls whether users can provide Microsoft accounts for authentication, applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This functionality applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user won't be affected by enabling this setting until the authentication cache expires.
@ -83,7 +83,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-msched.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_msched
description: Policy CSP - ADMX_msched
description: Learn about Policy CSP - ADMX_msched.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_msched
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -135,8 +136,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-msdt.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MSDT
description: Policy CSP - ADMX_MSDT
description: Learn about Policy CSP - ADMX_MSDT.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -215,3 +215,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-msi.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MSI
description: Policy CSP - ADMX_MSI
description: Learn about Policy CSP - ADMX_MSI.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -187,7 +187,7 @@ If you enable this policy setting, all users are permitted to install programs f
This policy setting doesn't affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.
If you disable or don't configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.
If you disable or don't configure this policy setting, users can install programs from removable media by default, only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.
Also, see the "Prevent removable media source for any install" policy setting.
@ -1333,7 +1333,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
<!--/Policies-->
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

8
windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_MsiFileRecovery
description: Policy CSP - ADMX_MsiFileRecovery
description: Learn about Policy CSP - ADMX_MsiFileRecovery.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -95,4 +95,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

5
windows/client-management/mdm/policy-csp-admx-nca.md
View File

@ -439,7 +439,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

15
windows/client-management/mdm/policy-csp-admx-ncsi.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_NCSI
description: Policy CSP - ADMX_NCSI
description: Learn about Policy CSP - ADMX_NCSI.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_NCSI
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -79,11 +80,10 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Specify corporate DNS probe host address*
@ -165,7 +165,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of the prefixes indicates corporate connectivity.
<!--/Description-->
@ -254,7 +254,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (that is, whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
<!--/Description-->
@ -297,7 +297,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it's currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
<!--/Description-->
@ -359,3 +359,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

25
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Netlogon
description: Policy CSP - ADMX_Netlogon
description: Learn about Policy CSP - ADMX_Netlogon.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Netlogon
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -230,7 +231,6 @@ If you don't configure this policy setting, DC Locator APIs can return IPv4/IPv6
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Return domain controller address type*
@ -271,13 +271,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, isn't used if the AllowSingleLabelDnsDomain policy setting is enabled.
This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, isn't used if the `AllowSingleLabelDnsDomain` policy setting is enabled.
By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.
By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the `AllowSingleLabelDnsDomain` policy setting is enabled.
If you enable this policy setting, when the AllowSingleLabelDnsDomain policy isn't enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name isn't used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, if DNS resolution fails.
If you enable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name isn't used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, if DNS resolution fails.
If you disable this policy setting, when the AllowSingleLabelDnsDomain policy isn't enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers won't attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
If you disable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers won't attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
<!--/Description-->
@ -377,11 +377,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain name.
By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
By default, the behavior specified in the `AllowDnsSuffixSearch` is used. If the `AllowDnsSuffixSearch` policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.
If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it isn't disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers won't the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
If you disable this policy setting, computers to which this setting is applied will use the `AllowDnsSuffixSearch` policy, if it isn't disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. The computers won't use the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
@ -1083,7 +1083,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the extra time for the computer to wait for the domain controllers (DC) response when logging on to the network.
To specify the expected dial-up delay at sign in, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
To specify the expected dial-up delay at sign-in, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
@ -1183,7 +1183,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. The records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.
@ -1492,7 +1492,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) couldn't be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.
The default value for this setting is 45 seconds. The maximum value for this setting is seven days (7*24*60*60). The minimum value for this setting is 0.
> [!WARNING]
> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
@ -1990,3 +1990,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-networkconnections.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_NetworkConnections
description: Policy CSP - ADMX_NetworkConnections
description: Learn about Policy CSP - ADMX_NetworkConnections.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -1471,7 +1471,7 @@ If you enable this setting, ICS can't be enabled or configured by administrators
If you disable this setting or don't configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard.
By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS.
By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When administrators are running the New Connection Wizard or Network Setup Wizard, they can choose to enable ICS.
> [!NOTE]
> Internet Connection Sharing is only available when two or more network connections are present.
@ -1594,5 +1594,8 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

35
windows/client-management/mdm/policy-csp-admx-offlinefiles.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_OfflineFiles
description: Policy CSP - ADMX_OfflineFiles
description: Learn about Policy CSP - ADMX_OfflineFiles.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_OfflineFiles
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -249,7 +250,7 @@ This policy setting lists network files and folders that are always available fo
If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).
If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted. And, no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).
If you don't configure this policy setting, no files or folders are made available for offline use by Group Policy.
@ -301,7 +302,7 @@ This policy setting lists network files and folders that are always available fo
If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).
If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted. And, no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).
If you don't configure this policy setting, no files or folders are made available for offline use by Group Policy.
@ -464,7 +465,6 @@ This setting also disables the "When a network connection is lost" option on the
If you enable this setting, you can use the "Action" box to specify how computers in the group respond.
- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible.
- "Never go offline" indicates that network files aren't available while the server is inaccessible.
If you disable this setting or select the "Work offline" option, users can work offline if disconnected.
@ -525,8 +525,7 @@ This setting also disables the "When a network connection is lost" option on the
If you enable this setting, you can use the "Action" box to specify how computers in the group respond.
- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible.
- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible.
- "Never go offline" indicates that network files aren't available while the server is inaccessible.
If you disable this setting or select the "Work offline" option, users can work offline if disconnected.
@ -704,7 +703,7 @@ If you don't configure this policy setting, encryption of the Offline Files cach
> [!NOTE]
> By default, this cache is protected on NTFS partitions by ACLs.
This setting is applied at user sign in. If this setting is changed after user sign in, then user sign out and sign in is required for this setting to take effect.
This setting is applied at user sign-in. If this setting is changed after user sign-in, then user sign-out and sign-in is required for this setting to take effect.
<!--/Description-->
@ -748,7 +747,7 @@ ADMX Info:
<!--Description-->
This policy setting determines which events the Offline Files feature records in the event log.
Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record.
Offline Files records events in the Application login Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record.
To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels.
@ -806,16 +805,13 @@ ADMX Info:
<!--Description-->
This policy setting determines which events the Offline Files feature records in the event log.
Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record.
Offline Files records events in the Application login Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record.
To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels.
- "0" records an error when the offline storage cache is corrupted.
- "0" records an error when the offline storage cache is corrupted.
- "1" also records an event when the server hosting the offline file is disconnected from the network.
- "2" also records events when the local computer is connected and disconnected from the network.
- "3" also records an event when the server hosting the offline file is reconnected to the network.
> [!NOTE]
@ -911,7 +907,7 @@ ADMX Info:
<!--Description-->
Lists types of files that can't be used offline.
This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system doesn't cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline."
This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system doesn't cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type can't be made available offline."
This setting is designed to protect files that can't be separated, such as database components.
@ -1773,7 +1769,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to turn on economical application of administratively assigned Offline Files.
If you enable or don't configure this policy setting, only new files and folders in administratively assigned folders are synchronized at sign in. Files and folders that are already available offline are skipped and are synchronized later.
If you enable or don't configure this policy setting, only new files and folders in administratively assigned folders are synchronized at sign-in. Files and folders that are already available offline are skipped and are synchronized later.
If you disable this policy setting, all administratively assigned folders are synchronized at logon.
@ -2334,7 +2330,7 @@ This policy setting determines whether offline files are fully synchronized when
This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it.
If you enable this setting, offline files are fully synchronized at sign in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager.
If you enable this setting, offline files are fully synchronized at sign-in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager.
If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but doesn't ensure that they're current.
@ -2392,11 +2388,11 @@ This policy setting determines whether offline files are fully synchronized when
This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it.
If you enable this setting, offline files are fully synchronized at sign in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager.
If you enable this setting, offline files are fully synchronized at sign-in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager.
If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but doesn't ensure that they're current.
If you don't configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option.
If you don't configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default. However, users can change this option.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
@ -2662,3 +2658,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

27
windows/client-management/mdm/policy-csp-admx-pca.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_pca
description: Policy CSP - ADMX_pca
description: Learn about Policy CSP - ADMX_pca.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -82,10 +82,11 @@ manager: dansimp
<!--Description-->
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility.
- If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website.
- If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers.
If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website.
If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues.
If you disable this policy setting, the PCA doesn't detect compatibility issues for applications and drivers.
If you don't configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues.
> [!NOTE]
> This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled.
@ -132,7 +133,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting exists only for backward compatibility, and is not valid for this version of Windows.
This setting exists only for backward compatibility, and isn't valid for this version of Windows.
To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative
Templates\Windows Components\Application Compatibility.
@ -179,7 +180,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
This setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
<!--/Description-->
@ -221,7 +222,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
This setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
<!--/Description-->
@ -264,7 +265,8 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting exists only for backward compatibility, and is not valid for this version of Windows.
This setting exists only for backward compatibility, and isn't valid for this version of Windows.
To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
<!--/Description-->
@ -308,7 +310,8 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting exists only for backward compatibility, and is not valid for this version of Windows.
This setting exists only for backward compatibility, and isn't valid for this version of Windows.
To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
<!--/Description-->
@ -352,7 +355,8 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting exists only for backward compatibility, and is not valid for this version of Windows.
This setting exists only for backward compatibility, and isn't valid for this version of Windows.
To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
<!--/Description-->
@ -371,3 +375,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

45
windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_PeerToPeerCaching
description: Policy CSP - ADMX_PeerToPeerCaching
description: Learn about Policy CSP - ADMX_PeerToPeerCaching.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_PeerToPeerCaching
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -90,9 +91,7 @@ This policy setting specifies whether BranchCache is enabled on client computers
- Set BranchCache Hosted Cache mode
- Configure Hosted Cache Servers
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache.
- Enabled: With this selection, BranchCache is turned on for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client computers to which the policy is applied.
@ -146,9 +145,7 @@ This policy setting specifies whether BranchCache distributed cache mode is enab
In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache.
- Enabled: With this selection, BranchCache distributed cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all domain member client computers to which the policy is applied.
@ -202,9 +199,7 @@ This policy setting specifies whether BranchCache hosted cache mode is enabled o
When a client computer is configured as a hosted cache mode client, it's able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache.
- Enabled: With this selection, BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache hosted cache mode is turned on for all domain member client computers to which the policy is applied.
@ -276,9 +271,7 @@ This policy setting can only be applied to client computers that are running at
If you disable, or don't configure this setting, a client won't attempt to discover hosted cache servers by service connection point.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy setting, and client computers don't perform hosted cache server discovery.
- Enabled: With this selection, the policy setting is applied to client computers, which perform automatically hosted cache server discovery and which are configured as hosted cache mode clients.
@ -329,13 +322,11 @@ This policy setting specifies whether client computers are configured to use hos
If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting.
This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and don't use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode."
This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and don't use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode".
If you don't configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy setting.
- Enabled: With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers."
@ -388,9 +379,7 @@ ADMX Info:
<!--Description-->
This policy setting is used only when you've deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients don't cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache latency settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache latency setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache latency settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the latency setting that you use on individual client computers.
- Enabled: With this selection, the BranchCache maximum round trip latency setting is enabled for all client computers where the policy is applied. For example, if Configure BranchCache for network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied.
@ -447,9 +436,7 @@ If you enable this policy setting, you can configure the percentage of total dis
If you disable or don't configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache client computer cache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache client computer cache setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the client computer cache setting that you use on individual client computers.
- Enabled: With this selection, the BranchCache client computer cache setting is enabled for all client computers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is enabled in domain Group Policy, the BranchCache client computer cache setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied.
@ -509,9 +496,7 @@ If you enable this policy setting, you can configure the age for segments in the
If you disable or don't configure this policy setting, the age is set to 28 days.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, BranchCache client computer cache age settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the client computer cache age setting that you use on individual client computers.
- Enabled: With this selection, the BranchCache client computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned on for all domain member client computers to which the policy is applied.
@ -568,9 +553,7 @@ If you enable this policy setting, all clients use the version of BranchCache th
If you don't configure this setting, all clients will use the version of BranchCache that matches their operating system.
Policy configuration
Select one of the following options:
For policy configuration, select one of the following options:
- Not Configured: With this selection, this policy setting isn't applied to client computers, and the clients run the version of BranchCache that is included with their operating system.
- Enabled: With this selection, this policy setting is applied to client computers based on the value of the option setting "Select from the following versions" that you specify.
@ -600,3 +583,7 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

13
windows/client-management/mdm/policy-csp-admx-pentraining.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_PenTraining
description: Policy CSP - ADMX_PenTraining
description: Learn about Policy CSP - ADMX_PenTraining.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -66,9 +66,9 @@ manager: dansimp
<!--Description-->
Turns off Tablet PC Pen Training.
- If you enable this policy setting, users cannot open Tablet PC Pen Training.
- If you enable this policy setting, users can't open Tablet PC Pen Training.
- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.
- If you disable or don't configure this policy setting, users can open Tablet PC Pen Training.
<!--/Description-->
@ -113,9 +113,9 @@ ADMX Info:
<!--Description-->
Turns off Tablet PC Pen Training.
- If you enable this policy setting, users cannot open Tablet PC Pen Training.
- If you enable this policy setting, users can't open Tablet PC Pen Training.
- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.
- If you disable or don't configure this policy setting, users can open Tablet PC Pen Training.
<!--/Description-->
@ -133,3 +133,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

17
windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_PerformanceDiagnostics
description: Policy CSP - ADMX_PerformanceDiagnostics
description: Learn about Policy CSP - ADMX_PerformanceDiagnostics.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_PerformanceDiagnostics
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -72,7 +73,7 @@ manager: dansimp
<!--Description-->
This policy setting determines the execution level for Windows Boot Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS.
@ -80,7 +81,8 @@ If you don't configure this policy setting, the DPS will enable Windows Boot Per
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
No system restart or service restart is required for this policy to take effect: changes take effect immediately.
>[!Note]
>No system restart or service restart is required for this policy to take effect; changes take effect immediately.
This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
@ -127,7 +129,7 @@ ADMX Info:
<!--Description-->
Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS.
@ -182,7 +184,7 @@ ADMX Info:
<!--Description-->
This policy setting determines the execution level for Windows Shutdown Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS.
@ -237,7 +239,7 @@ ADMX Info:
<!--Description-->
Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS.
@ -267,3 +269,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

66
windows/client-management/mdm/policy-csp-admx-power.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Power
description: Policy CSP - ADMX_Power
description: Learn about Policy CSP - ADMX_Power.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Power
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -137,9 +138,9 @@ This policy setting allows you to control the network connectivity state in stan
If you enable this policy setting, network connectivity will be maintained in standby.
If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change.
If you disable this policy setting, network connectivity in standby isn't guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change.
If you do not configure this policy setting, users control this setting.
If you don't configure this policy setting, users control this setting.
<!--/Description-->
@ -186,7 +187,7 @@ This policy setting allows you to turn on the ability for applications and servi
If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -237,7 +238,7 @@ If you enable this policy setting, select one of the following actions:
- Hibernate
- Shut down
If you disable this policy or do not configure this policy setting, users control this setting.
If you disable this policy or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -284,7 +285,7 @@ This policy setting allows applications and services to prevent automatic sleep.
If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.
If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
If you disable or don't configure this policy setting, applications, services, or drivers don't prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
<!--/Description-->
@ -331,7 +332,7 @@ This policy setting allows applications and services to prevent automatic sleep.
If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.
If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
If you disable or don't configure this policy setting, applications, services, or drivers don't prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
<!--/Description-->
@ -378,7 +379,7 @@ This policy setting allows you to manage automatic sleep with open network files
If you enable this policy setting, the computer automatically sleeps when network files are open.
If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open.
If you disable or don't configure this policy setting, the computer doesn't automatically sleep when network files are open.
<!--/Description-->
@ -425,7 +426,7 @@ This policy setting allows you to manage automatic sleep with open network files
If you enable this policy setting, the computer automatically sleeps when network files are open.
If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open.
If you disable or don't configure this policy setting, the computer doesn't automatically sleep when network files are open.
<!--/Description-->
@ -468,11 +469,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the active power plan from a specified power plans GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool.
This policy setting specifies the active power plan from a specified power plans GUID. The GUID for a custom power plan GUID can be retrieved by using `powercfg`, the power configuration command line tool.
If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active.
If you disable or do not configure this policy setting, users can see and change this setting.
If you disable or don't configure this policy setting, users can see and change this setting.
<!--/Description-->
@ -524,7 +525,7 @@ If you enable this policy setting, select one of the following actions:
- Hibernate
- Shut down
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -576,7 +577,7 @@ If you enable this policy setting, select one of the following actions:
- Hibernate
- Shut down
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -625,7 +626,7 @@ If you enable this policy setting, you must enter a numeric value (percentage) t
To set the action that is triggered, see the "Critical Battery Notification Action" policy setting.
If you disable this policy setting or do not configure it, users control this setting.
If you disable this policy setting or don't configure it, users control this setting.
<!--/Description-->
@ -676,7 +677,7 @@ To configure the low battery notification level, see the "Low Battery Notificati
The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action".
If you disable or do not configure this policy setting, users can control this setting.
If you disable or don't configure this policy setting, users can control this setting.
<!--/Description-->
@ -725,7 +726,7 @@ If you enable this policy setting, you must enter a numeric value (percentage) t
To set the action that is triggered, see the "Low Battery Notification Action" policy setting.
If you disable this policy setting or do not configure it, users control this setting.
If you disable this policy setting or don't configure it, users control this setting.
<!--/Description-->
@ -772,9 +773,9 @@ This policy setting allows you to control the network connectivity state in stan
If you enable this policy setting, network connectivity will be maintained in standby.
If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change.
If you disable this policy setting, network connectivity in standby isn't guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change.
If you do not configure this policy setting, users control this setting.
If you don't configure this policy setting, users control this setting.
<!--/Description-->
@ -821,7 +822,7 @@ This policy setting allows you to turn on the ability for applications and servi
If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -872,7 +873,7 @@ If you enable this policy setting, select one of the following actions:
- Hibernate
- Shut down
If you disable this policy or do not configure this policy setting, users control this setting.
If you disable this policy or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -919,7 +920,7 @@ This policy setting specifies the period of inactivity before Windows turns off
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk.
If you disable or do not configure this policy setting, users can see and change this setting.
If you disable or don't configure this policy setting, users can see and change this setting.
<!--/Description-->
@ -966,7 +967,7 @@ This policy setting specifies the period of inactivity before Windows turns off
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk.
If you disable or do not configure this policy setting, users can see and change this setting.
If you disable or don't configure this policy setting, users can see and change this setting.
<!--/Description-->
@ -1011,7 +1012,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes.
This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces.
This setting doesn't affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces.
Applications such as UPS software may rely on Windows shutdown behavior.
@ -1019,7 +1020,7 @@ This setting is only applicable when Windows shutdown is initiated by software p
If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed.
If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state.
If you disable or don't configure this policy setting, the computer system safely shuts down to a fully powered-off state.
<!--/Description-->
@ -1068,7 +1069,7 @@ If you enable this policy setting, desktop background slideshow is enabled.
If you disable this policy setting, the desktop background slideshow is disabled.
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -1117,7 +1118,7 @@ If you enable this policy setting, desktop background slideshow is enabled.
If you disable this policy setting, the desktop background slideshow is disabled.
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -1164,7 +1165,7 @@ This policy setting specifies the active power plan from a list of default Windo
If you enable this policy setting, specify a power plan from the Active Power Plan list.
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -1209,9 +1210,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state.
If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state.
If you enable this policy setting, the client computer is locked and prompted for a password when it's resumed from a suspend or hibernate state.
If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation.
If you disable or don't configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation.
<!--/Description-->
@ -1258,7 +1259,7 @@ This policy setting allows you to turn off Power Throttling.
If you enable this policy setting, Power Throttling will be turned off.
If you disable or do not configure this policy setting, users control this setting.
If you disable or don't configure this policy setting, users control this setting.
<!--/Description-->
@ -1305,7 +1306,7 @@ This policy setting specifies the percentage of battery capacity remaining that
If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification.
If you disable or do not configure this policy setting, users can see and change this setting.
If you disable or don't configure this policy setting, users can see and change this setting.
<!--/Description-->
@ -1324,3 +1325,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

13
windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_PowerShellExecutionPolicy
description: Policy CSP - ADMX_PowerShellExecutionPolicy
description: Learn about Policy CSP - ADMX_PowerShellExecutionPolicy.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_PowerShellExecutionPolicy
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -73,7 +74,7 @@ manager: dansimp
<!--Description-->
This policy setting allows you to turn on logging for Windows PowerShell modules.
If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True.
If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell login Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True.
If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting isn't configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False.
@ -128,7 +129,7 @@ This policy setting lets you configure the script execution policy, controlling
If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they're signed by a trusted publisher.
The "Allow local scripts and remote signed scripts" policy setting allows any local scripts to run; scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run.
The "Allow local scripts and remote signed scripts" policy setting allows any local scripts to run. And, the scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run.
If you disable this policy setting, no scripts are allowed to run.
@ -255,4 +256,8 @@ ADMX Info:
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

92
windows/client-management/mdm/policy-csp-admx-previousversions.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - ADMX_PreviousVersions
<hr/>
<!--Policies-->
## ADMX_PreviousVersions policies
> [!TIP]
@ -26,6 +23,10 @@ manager: dansimp
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
<dl>
<dd>
<a href="#admx-previousversions-disablelocalpage_1">ADMX_PreviousVersions/DisableLocalPage_1</a>
@ -85,13 +86,10 @@ manager: dansimp
<!--Description-->
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file.
- If the user clicks the Restore button, Windows attempts to restore the file from the local disk.
- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file.
- If the user clicks the Restore button, Windows attempts to restore the file from the local disk.
- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a local file.
<!--/Description-->
@ -136,13 +134,10 @@ ADMX Info:
<!--Description-->
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file.
- If the user clicks the Restore button, Windows attempts to restore the file from the local disk.
- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file.
- If the user clicks the Restore button, Windows attempts to restore the file from the local disk.
- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a local file.
<!--/Description-->
@ -187,13 +182,10 @@ ADMX Info:
<!--Description-->
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share.
<!--/Description-->
@ -238,13 +230,10 @@ ADMX Info:
<!--Description-->
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share.
<!--/Description-->
@ -290,11 +279,9 @@ ADMX Info:
<!--Description-->
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.
- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points.
- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points.
If you do not configure this policy setting, it is disabled by default.
- If you enable this policy setting, users can't see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points.
- If you disable this policy setting, users can see previous versions corresponding to backup copies and previous versions corresponding to on-disk restore points.
- If you don't configure this policy setting, it's disabled by default.
<!--/Description-->
@ -339,11 +326,9 @@ ADMX Info:
<!--Description-->
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.
- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points.
- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points.
If you do not configure this policy setting, it is disabled by default.
- If you enable this policy setting, users can't see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points.
- If you disable this policy setting, users can see previous versions corresponding to backup copies and previous versions corresponding to on-disk restore points.
- If you don't configure this policy setting, it's disabled by default.
<!--/Description-->
@ -388,13 +373,10 @@ ADMX Info:
<!--Description-->
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share.
<!--/Description-->
@ -439,13 +421,10 @@ ADMX Info:
<!--Description-->
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share.
- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share.
- If the user clicks the Restore button, Windows attempts to restore the file from the file share.
- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share.
<!--/Description-->
@ -460,3 +439,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

13
windows/client-management/mdm/policy-csp-admx-printing.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Printing
description: Policy CSP - ADMX_Printing
description: Learn about Policy CSP - ADMX_Printing.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Printing
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -252,7 +253,8 @@ If you enable this policy setting, you replace the "Get help with printing" defa
If you disable this setting or don't configure it, or if you don't enter an alternate Internet address, the default link will appear in the Printers folder.
> [!NOTE]
> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.")
> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect.
> To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders."
Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
@ -307,10 +309,8 @@ If you disable this policy setting, the client computer will only search the loc
This policy setting isn't configured by default, and the behavior depends on the version of Windows that you're using.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Extend Point and Print connection to search Windows Update*
@ -1444,5 +1444,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

15
windows/client-management/mdm/policy-csp-admx-printing2.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Printing2
description: Policy CSP - ADMX_Printing2
description: Learn about Policy CSP - ADMX_Printing2.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Printing2
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -189,7 +190,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Determines whether the pruning service on a domain controller prunes printer objects that aren't automatically republished whenever the host computer doesn't respond, just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest.
This policy setting determines whether the pruning service on a domain controller prunes printer objects that aren't automatically republished whenever the host computer doesn't respond, just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest.
The Windows pruning service prunes printer objects from Active Directory when the computer that published them doesn't respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains can't republish printers in Active Directory automatically, by default, the system never prunes their printer objects.
@ -416,10 +417,8 @@ If you enable this policy setting, the contact events are recorded in the event
If you disable or don't configure this policy setting, the contact events aren't recorded in the event log.
Note: This setting doesn't affect the logging of pruning events; the actual pruning of a printer is always logged.
> [!NOTE]
> This setting is used only on domain controllers.
> This setting doesn't affect the logging of pruning events; the actual pruning of a printer is always logged. This setting is used only on domain controllers.
<!--/Description-->
@ -534,4 +533,8 @@ ADMX Info:
<hr/>
<!--/Policies-->
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

9
windows/client-management/mdm/policy-csp-admx-programs.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Programs
description: Policy CSP - ADMX_Programs
description: Learn about Policy CSP - ADMX_Programs.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -13,6 +13,7 @@ manager: dansimp
---
# Policy CSP - ADMX_Programs
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -83,7 +84,7 @@ This setting removes the Set Program Access and Defaults page from the Programs
The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations.
If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users.
If this setting is disabled or not configured, the "Set Program Access and Defaults" button is available to all users.
This setting doesn't prevent users from using other tools and methods to change program access or defaults.
@ -91,7 +92,6 @@ This setting doesn't prevent the Default Programs icon from appearing on the Sta
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Hide "Set Program Access and Computer Defaults" page*
@ -407,3 +407,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

15
windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_PushToInstall
description: Policy CSP - ADMX_PushToInstall
description: Learn about Policy CSP - ADMX_PushToInstall.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -14,11 +14,6 @@ manager: dansimp
# Policy CSP - ADMX_PushToInstall
<hr/>
<!--Policies-->
## ADMX_PushToInstall policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -26,6 +21,11 @@ manager: dansimp
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## ADMX_PushToInstall policies
<dl>
<dd>
<a href="#admx-pushtoinstall-disablepushtoinstall">ADMX_PushToInstall/DisablePushToInstall</a>
@ -78,3 +78,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

28
windows/client-management/mdm/policy-csp-admx-radar.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ADMX_Radar
description: Policy CSP - ADMX_Radar
description: Learn about Policy CSP - ADMX_Radar.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
@ -14,11 +14,6 @@ manager: dansimp
# Policy CSP - ADMX_Radar
<hr/>
<!--Policies-->
## ADMX_Radar policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
@ -26,6 +21,11 @@ manager: dansimp
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## ADMX_Radar policies
<dl>
<dd>
<a href="#admx-radar-wdiscenarioexecutionpolicy">ADMX_Radar/WdiScenarioExecutionPolicy</a>
@ -64,14 +64,19 @@ manager: dansimp
<!--Description-->
This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution.
- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes.
These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available.
These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available.
- If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS.
If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS.
If you don't configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
No system restart or service restart is required for this policy to take effect; changes take effect immediately.
>[!Note]
> This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
@ -89,3 +94,6 @@ ADMX Info:
<!--/Policies-->
## Related topics
[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)

11
windows/client-management/mdm/policy-csp-education.md
View File

@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - Education
<hr/>
<!--Policies-->
@ -35,7 +34,6 @@ manager: dansimp
</dd>
</dl>
<hr/>
<!--Policy-->
@ -52,7 +50,6 @@ manager: dansimp
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -66,7 +63,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality.
This policy setting allows you to control, whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -99,7 +96,6 @@ The following list shows the supported values:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -186,7 +182,6 @@ The following list shows the supported values:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -209,6 +204,8 @@ The policy value is expected to be a ```&#xF000;``` separated list of printer na
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

Some files were not shown because too many files have changed in this diff Show More