deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

january 2024 update

Browse Source
This commit is contained in:
Aaron Czechowski 2024-01-31 17:16:03 -08:00
parent 50b8c1bd04
commit 43302fd79f
3 changed files with 792 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

339
windows/client-management/mdm/laps-csp.md
View File

@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -34,7 +34,13 @@ The following list shows the LAPS configuration service provider nodes:
- [AdministratorAccountName](#policiesadministratoraccountname)
- [ADPasswordEncryptionEnabled](#policiesadpasswordencryptionenabled)
- [ADPasswordEncryptionPrincipal](#policiesadpasswordencryptionprincipal)
- [AutomaticAccountManagementEnableAccount](#policiesautomaticaccountmanagementenableaccount)
- [AutomaticAccountManagementEnabled](#policiesautomaticaccountmanagementenabled)
- [AutomaticAccountManagementNameOrPrefix](#policiesautomaticaccountmanagementnameorprefix)
- [AutomaticAccountManagementRandomizeName](#policiesautomaticaccountmanagementrandomizename)
- [AutomaticAccountManagementTarget](#policiesautomaticaccountmanagementtarget)
- [BackupDirectory](#policiesbackupdirectory)
- [PassphraseLength](#policiespassphraselength)
- [PasswordAgeDays](#policiespasswordagedays)
- [PasswordComplexity](#policiespasswordcomplexity)
- [PasswordExpirationProtectionEnabled](#policiespasswordexpirationprotectionenabled)
@ -420,6 +426,275 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-ADPasswordEncryptionPrincipal-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Begin -->
### Policies/AutomaticAccountManagementEnableAccount
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
```
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure whether the automatically managed account is enabled or disabled.
- If this setting is enabled, the target account will be enabled.
- If this setting is disabled, the target account will be disabled.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| False (Default) | The target account will be disabled. |
| True | The target account will be enabled. |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Begin -->
### Policies/AutomaticAccountManagementEnabled
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
```
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to specify whether automatic account management is enabled.
- If this setting is enabled, the target account will be automatically managed.
- If this setting is disabled, the target account won't be automatically managed.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnabled-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-Policies-AutomaticAccountManagementEnabled-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | The target account won't be automatically managed. |
| true | The target account will be automatically managed. |
<!-- Device-Policies-AutomaticAccountManagementEnabled-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Begin -->
### Policies/AutomaticAccountManagementNameOrPrefix
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
```
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure the name or prefix of the managed local administrator account.
If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Begin -->
### Policies/AutomaticAccountManagementRandomizeName
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
```
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
If this setting is enabled, the name of the target account will use a random numeric suffix.
If this setting is disbled, the name of the target account won't use a random numeric suffix.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| False (Default) | The name of the target account won't use a random numeric suffix. |
| True | The name of the target account will use a random numeric suffix. |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Begin -->
### Policies/AutomaticAccountManagementTarget
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
```
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure which account is automatically managed.
The allowable settings are:
0=The builtin administrator account will be managed.
1=A new account created by Windows LAPS will be managed.
If not specified, this setting will default to 1.
<!-- Device-Policies-AutomaticAccountManagementTarget-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementTarget-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Manage the built-in administrator account. |
| 1 (Default) | Manage a new custom administrator account. |
<!-- Device-Policies-AutomaticAccountManagementTarget-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-End -->
<!-- Device-Policies-BackupDirectory-Begin -->
### Policies/BackupDirectory
@ -478,6 +753,54 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-BackupDirectory-End -->
<!-- Device-Policies-PassphraseLength-Begin -->
### Policies/PassphraseLength
<!-- Device-Policies-PassphraseLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-PassphraseLength-Applicability-End -->
<!-- Device-Policies-PassphraseLength-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/PassphraseLength
```
<!-- Device-Policies-PassphraseLength-OmaUri-End -->
<!-- Device-Policies-PassphraseLength-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure the number of passphrase words.
If not specified, this setting will default to 6 words.
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.
<!-- Device-Policies-PassphraseLength-Description-End -->
<!-- Device-Policies-PassphraseLength-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-PassphraseLength-Editable-End -->
<!-- Device-Policies-PassphraseLength-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[3-10]` |
| Default Value | 6 |
| Dependency [PasswordComplexity] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity` <br> Dependency Allowed Value: `[6-8]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-Policies-PassphraseLength-DFProperties-End -->
<!-- Device-Policies-PassphraseLength-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-PassphraseLength-Examples-End -->
<!-- Device-Policies-PassphraseLength-End -->
<!-- Device-Policies-PasswordAgeDays-Begin -->
### Policies/PasswordAgeDays
@ -550,9 +873,15 @@ The allowable settings are:
1=Large letters
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters.
4=Large letters + small letters + numbers + special characters
5=Large letters + small letters + numbers + special characters (improved readability)
6=Passphrase (long words)
7=Passphrase (short words)
8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See <https://go.microsoft.com/fwlink/?linkid=2255471> for more information.
<!-- Device-Policies-PasswordComplexity-Description-End -->
<!-- Device-Policies-PasswordComplexity-Editable-Begin -->
@ -580,6 +909,10 @@ If not specified, this setting will default to 4.
| 2 | Large letters + small letters. |
| 3 | Large letters + small letters + numbers. |
| 4 (Default) | Large letters + small letters + numbers + special characters. |
| 5 | Large letters + small letters + numbers + special characters (improved readability). |
| 6 | Passphrase (long words). |
| 7 | Passphrase (short words). |
| 8 | Passphrase (short words with unique prefixes). |
<!-- Device-Policies-PasswordComplexity-AllowedValues-End -->
<!-- Device-Policies-PasswordComplexity-Examples-Begin -->
@ -683,6 +1016,7 @@ This setting has a maximum allowed value of 64 characters.
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[8-64]` |
| Default Value | 14 |
| Dependency [PasswordComplexity] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity` <br> Dependency Allowed Value: `[1-5]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-Policies-PasswordLength-DFProperties-End -->
<!-- Device-Policies-PasswordLength-Examples-Begin -->
@ -740,6 +1074,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
| 11 | Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. |
<!-- Device-Policies-PostAuthenticationActions-AllowedValues-End -->
<!-- Device-Policies-PostAuthenticationActions-Examples-Begin -->

359
windows/client-management/mdm/laps-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -194,8 +194,14 @@ The allowable settings are:
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters
5=Large letters + small letters + numbers + special characters (improved readability)
6=Passphrase (long words)
7=Passphrase (short words)
8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4.</Description>
If not specified, this setting will default to 4.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See https://go.microsoft.com/fwlink/?linkid=2255471 for more information.</Description>
<DFFormat>
<int />
</DFFormat>
@ -225,6 +231,22 @@ If not specified, this setting will default to 4.</Description>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers + special characters</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers + special characters (improved readability)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>6</MSFT:Value>
<MSFT:ValueDescription>Passphrase (long words)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>7</MSFT:Value>
<MSFT:ValueDescription>Passphrase (short words)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>8</MSFT:Value>
<MSFT:ValueDescription>Passphrase (short words with unique prefixes)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
@ -260,6 +282,70 @@ This setting has a maximum allowed value of 64 characters.</Description>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[8-64]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="PasswordComplexity">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/PasswordComplexity</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Enum>
<MSFT:Value>[1-5]</MSFT:Value>
<MSFT:ValueDescription>PasswordComplexity configured to generate a password</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>PassphraseLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>6</DefaultValue>
<Description>Use this setting to configure the number of passphrase words.
If not specified, this setting will default to 6 words
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[3-10]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="PasswordComplexity">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/PasswordComplexity</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Enum>
<MSFT:Value>[6-8]</MSFT:Value>
<MSFT:ValueDescription>PasswordComplexity configured to generate a passphrase</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
@ -567,9 +653,278 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>11</MSFT:Value>
<MSFT:ValueDescription>Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to specify whether automatic account management is enabled.
If this setting is enabled, the target account will be automatically managed.
If this setting is disabled, the target account will not be automatically managed.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>The target account will not be automatically managed</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>The target account will be automatically managed</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementTarget</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Use this setting to configure which account is automatically managed.
The allowable settings are:
0=The builtin administrator account will be managed.
1=A new account created by Windows LAPS will be managed.
If not specified, this setting will default to 1.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Manage the built-in administrator account</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Manage a new custom administrator account</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementNameOrPrefix</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Use this setting to configure the name or prefix of the managed local administrator account.
If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementEnableAccount</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the automatically managed account is enabled or disabled.
If this setting is enabled, the target account will be enabled.
If this setting is disabled, the target account will be disabled.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>False</MSFT:Value>
<MSFT:ValueDescription>The target account will be disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>True</MSFT:Value>
<MSFT:ValueDescription>The target account will be enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementRandomizeName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
If this setting is enabled, the name of the target account will use a random numeric suffix.
If this setting is disbled, the name of the target account will not use a random numeric suffix..
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>False</MSFT:Value>
<MSFT:ValueDescription>The name of the target account will not use a random numeric suffix.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>True</MSFT:Value>
<MSFT:ValueDescription>The name of the target account will use a random numeric suffix.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Actions</NodeName>

105
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -1,7 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -321,6 +321,97 @@ This policy setting controls if pressing the brightness button changes the brigh
<!-- BrightnessButtonDisabled-End -->
<!-- ConfigureDeviceStandbyAction-Begin -->
## ConfigureDeviceStandbyAction
<!-- ConfigureDeviceStandbyAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeviceStandbyAction-Applicability-End -->
<!-- ConfigureDeviceStandbyAction-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyAction
```
<!-- ConfigureDeviceStandbyAction-OmaUri-End -->
<!-- ConfigureDeviceStandbyAction-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls device maintenance action during standby.
<!-- ConfigureDeviceStandbyAction-Description-End -->
<!-- ConfigureDeviceStandbyAction-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyAction-Editable-End -->
<!-- ConfigureDeviceStandbyAction-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeviceStandbyAction-DFProperties-End -->
<!-- ConfigureDeviceStandbyAction-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured. |
| 1 | Logoff users. |
| 2 | Reboot device. |
<!-- ConfigureDeviceStandbyAction-AllowedValues-End -->
<!-- ConfigureDeviceStandbyAction-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyAction-Examples-End -->
<!-- ConfigureDeviceStandbyAction-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Begin -->
## ConfigureDeviceStandbyActionTimeout
<!-- ConfigureDeviceStandbyActionTimeout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeviceStandbyActionTimeout-Applicability-End -->
<!-- ConfigureDeviceStandbyActionTimeout-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyActionTimeout
```
<!-- ConfigureDeviceStandbyActionTimeout-OmaUri-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls when to start maintenance action after device enters standby. The timeout value is in hours.
<!-- ConfigureDeviceStandbyActionTimeout-Description-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyActionTimeout-Editable-End -->
<!-- ConfigureDeviceStandbyActionTimeout-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-168]` |
| Default Value | 8 |
<!-- ConfigureDeviceStandbyActionTimeout-DFProperties-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyActionTimeout-Examples-End -->
<!-- ConfigureDeviceStandbyActionTimeout-End -->
<!-- ConfigureMovingPlatform-Begin -->
## ConfigureMovingPlatform
@ -643,7 +734,7 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
<!-- EnableStartMenuSingleHandGesture-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuSingleHandGesture-Applicability-End -->
<!-- EnableStartMenuSingleHandGesture-OmaUri-Begin -->
@ -692,7 +783,7 @@ This policy setting controls if pinching your thumb and index finger, while look
<!-- EnableStartMenuVoiceCommand-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuVoiceCommand-Applicability-End -->
<!-- EnableStartMenuVoiceCommand-OmaUri-Begin -->
@ -741,7 +832,7 @@ This policy setting controls if using voice commands to open the Start menu is e
<!-- EnableStartMenuWristTap-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuWristTap-Applicability-End -->
<!-- EnableStartMenuWristTap-OmaUri-Begin -->
@ -1104,7 +1195,7 @@ The following example XML string shows the value to enable this policy:
<!-- PreferLogonAsOtherUser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- PreferLogonAsOtherUser-Applicability-End -->
<!-- PreferLogonAsOtherUser-OmaUri-Begin -->
@ -1153,7 +1244,7 @@ This policy configures whether the Sign-In App should prefer showing Other User
<!-- RequireStartIconHold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- RequireStartIconHold-Applicability-End -->
<!-- RequireStartIconHold-OmaUri-Begin -->
@ -1202,7 +1293,7 @@ This policy setting controls if it's require that the Start icon to be pressed f
<!-- RequireStartIconVisible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- RequireStartIconVisible-Applicability-End -->
<!-- RequireStartIconVisible-OmaUri-Begin -->