deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into minorupdate

Browse Source
This commit is contained in:
Greg Lindsay 2022-02-11 06:52:39 -08:00 committed by GitHub
commit 443ac9c735
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
112 changed files with 2333 additions and 1093 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -14,6 +14,7 @@ common/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
settings.json
# User-specific files
.vs/

1
browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
View File

@ -34,6 +34,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage
| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
| Don't run antimalware programs against ActiveX controls<br>(Internet, Restricted Zones) | <ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone</li></ul> | IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
| Don't run antimalware programs against ActiveX controls<br>(Intranet, Trusted, Local Machine Zones) | <ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> | IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
| Hide Internet Explorer 11 Application Retirement Notification | Administrative Templates\Windows Components\Internet Explorer | Internet Explorer 11 on Windows 10 20H2 & newer | This policy setting allows you to prevent the notification bar that informs users of Internet Explorer 11s retirement from showing up. <br>If you disable or dont configure this setting, the notification will be shown. |
| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.<p>If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.<p>If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.<p>If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. |
| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but dont specify a report location, Enterprise Mode will still be available to your users, but you wont get any reports.<p>If you disable or dont configure this policy setting, the menu option wont appear and users wont be able to turn on Enterprise Mode locally. |
| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.<p>If you disable or dont configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.<p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |

50
education/windows/windows-11-se-overview.md
View File

@ -37,27 +37,37 @@ Windows 11 SE is only available preinstalled on devices from OEMs. The OEM insta
Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
---
| Application | Min version | Vendor |
| --- | --- | --- |
| Chrome | 95.0.4638.54 | Google |
| Dragon Assistant | 3.2.98.061 | Nuance Communications |
| Dragon Professional Individual | 15.00.100 | Nuance Communications |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | e-speaking |
| Free NaturalReader | 16.1.2 | Natural Soft |
| Jaws for Windows | 2022.2109.84 ILM | Freedom Scientific |
| Kite Student Portal | 8.0.1 | Dynamic Learning Maps |
| NextUp Talker | 1.0.49 | NextUp Technologies, LLC. |
| NonVisual Desktop Access | 2021.2 | NV Access |
| Read and Write | 12.0.71 | Texthelp Systems Ltd. |
| SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access |
| SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access |
| Text Aloud | 4.0.64 | Nextup.com |
| Zoom | 5.8.3 (1581) | Zoom Inc |
| Zoomtext Fusion by AiSquared | 2022.2109.10 | ORF Fusion |
| ZoomText Magnifier/Reader | 2022.2109.25ILM | AI Squared |
---
| Application | Supported version | Vendor |
| --- | --- | --- |
|Blub Digital Portoflio |0.0.7.0 |bulb|
|CA Secure Browser |14.0.0 |Cambium Development|
|Cisco Umbrella |3.0.110.0 |Cisco|
|Dragon Professional Individual |15.00.100 |Nuance Communications|
|DRC INSIGHT Online Assessments |12.0.0.0 |DRC|
|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking|
|Free NaturalReader |16.1.2 |Natural Soft|
|GoGuardian |1.4.4 |GoGuardian|
|Google Chrome |97.0.4692.71 |Google|
|Jaws for Windows |2022.2112.24 ILM|Freedom Scientific|
|Kite Student Portal |8.0.1|Dynamic Learning Maps|
|Kortext |2.3.418.0 |Kortext|
|LanSchool |9.1.0.46 |Stoneware|
|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems|
|Mozilla Firefox |96.0.2 |Mozilla|
|NextUp Talker |1.0.49 |NextUp Technologies|
|NonVisual Desktop Access |2021.3.1 |NV Access|
|NWEA Secure Testing Browser |5.4.300.0 |NEWA|
|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd.|
|Safe Exam Broswer |3.3.1 |Safe Exam Broswer|
|Secure Browser |4.8.3.376 |Questar, Inc|
|SuperNova Magnifier & Screen Reader | 20.03 |Dolphin Computer Access|
|SuperNova Magnifier & Speech | 20.03 |Dolphin Computer Access|
|Respondus Lockdown Browser |2.0.8.03 |Respondus|
|TestNav |1.10.2.0 |Pearson Education Inc|
|SecureBrowser |14.0.0 |Cambium Development|
|Zoom |5.9.1 (2581) |Zoom|
|ZoomText Magnifier/Reader |2022.2109.25ILM | AI Squared|
### Enabled apps

2
windows/application-management/remove-provisioned-apps-during-update.md
View File

@ -12,7 +12,7 @@ manager: dansimp
---
# How to keep apps removed from Windows 10 from returning during an update
>Applies to: Windows 10 (Semi-Annual Channel)
> Applies to: Windows 10 (General Availability Channel)
When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed return post-update. This can happen if the computer was offline when you removed the apps. This issue was fixed in Windows 10, version 1803.

7
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -9,7 +9,7 @@ ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.date: 09/14/2021
ms.date: 01/18/2022
ms.reviewer:
manager: dansimp
ms.topic: article
@ -55,8 +55,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
```
where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
This command only works for AADJ device users already added to any of the local groups (administrators).
Otherwise this command throws the below error. For example:
In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example:
- for cloud only user: "There is no such global user or group : *name*"
- for synced user: "There is no such global user or group : *name*" </br>
@ -67,7 +66,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
- Adding users using policy
Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.

40
windows/client-management/mdm/bitlocker-csp.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 04/16/2020
ms.date: 02/04/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -21,7 +21,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to
>
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns
the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
@ -120,7 +120,7 @@ If you want to disable this policy, use the following SyncML:
```
> [!NOTE]
> Currently only used space encryption is supported when using this CSP.
> Currently full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
<!--/Policy-->
<!--Policy-->
@ -142,7 +142,7 @@ Allows you to set the default encryption method for each of the different drive
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP Friendly name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP name: <em>EncryptionMethodWithXts_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -216,7 +216,7 @@ Allows you to associate unique organizational identifiers to a new drive that is
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Provide the unique identifiers for your organization </em></li>
<li>GP Friendly name: <em>Provide the unique identifiers for your organization </em></li>
<li>GP name: <em>IdentificationField_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -276,7 +276,7 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN</em></li>
<li>GP Friendly name: <em>Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN</em></li>
<li>GP name: <em>EnablePreBootPinExceptionOnDECapableDevice_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -318,7 +318,7 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Allow enhanced PINs for startup</em></li>
<li>GP Friendly name: <em>Allow enhanced PINs for startup</em></li>
<li>GP name: <em>EnhancedPIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -363,7 +363,7 @@ Allows you to configure whether standard users are allowed to change BitLocker P
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Disallow standard users from changing the PIN or password</em></li>
<li>GP Friendly name: <em>Disallow standard users from changing the PIN or password</em></li>
<li>GP name: <em>DisallowStandardUsersCanChangePIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -408,7 +408,7 @@ Allows users to enable authentication options that require user input from the p
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enable use of BitLocker authentication requiring preboot keyboard input on slates</em></li>
<li>GP Friendly name: <em>Enable use of BitLocker authentication requiring preboot keyboard input on slates</em></li>
<li>GP name: <em>EnablePrebootInputProtectorsOnSlates_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -459,7 +459,7 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enforce drive encryption type on operating system drives</em></li>
<li>GP Friendly name: <em>Enforce drive encryption type on operating system drives</em></li>
<li>GP name: <em>OSEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -507,7 +507,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Require additional authentication at startup</em></li>
<li>GP Friendly name: <em>Require additional authentication at startup</em></li>
<li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -604,7 +604,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name:<em>Configure minimum PIN length for startup</em></li>
<li>GP Friendly name:<em>Configure minimum PIN length for startup</em></li>
<li>GP name: <em>MinimumPINLength_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -670,7 +670,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP Friendly name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP name: <em>PrebootRecoveryInfo_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -748,7 +748,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP Friendly name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP name: <em>OSRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -834,7 +834,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP Friendly name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP name: <em>FDVRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -929,7 +929,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP Friendly name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP name: <em>FDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -987,7 +987,7 @@ Allows you to configure the encryption type on fixed data drives that is used by
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enforce drive encryption type on fixed data drives</em></li>
<li>GP Friendly name: <em>Enforce drive encryption type on fixed data drives</em></li>
<li>GP name: <em>FDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1037,7 +1037,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP Friendly name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP name: <em>RDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removeable Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1106,7 +1106,7 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enforce drive encryption type on removable data drives</em></li>
<li>GP Friendly name: <em>Enforce drive encryption type on removable data drives</em></li>
<li>GP name: <em>RDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1150,7 +1150,7 @@ Allows you to control the use of BitLocker on removable data drives.
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Control use of BitLocker on removable drives</em></li>
<li>GP Friendly name: <em>Control use of BitLocker on removable drives</em></li>
<li>GP name: <em>RDVConfigureBDE_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>

1
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -1135,6 +1135,7 @@ The following list shows the CSPs supported in HoloLens devices:
- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
- [Firewall-CSP](firewall-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
- [NodeCache CSP](nodecache-csp.md)
- [PassportForWork CSP](passportforwork-csp.md)

2
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -36,7 +36,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md).
1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP English name
- GP Friendly name
- GP name
- GP ADMX file name
- GP path

30
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7659,6 +7659,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### MemoryDump policies
<dl>
<dd>
<a href="./policy-csp-memorydump.md#memorydump-allowcrashdump" id="memorydump-allowcrashdump">MemoryDump/AllowCrashDump</a>
</dd>
<dd>
<a href="./policy-csp-memorydump.md#memorydump-allowlivedump" id="memorydump-allowlivedump">MemoryDump/AllowLiveDump</a>
</dd>
</dl>
### Messaging policies
<dl>
@ -7776,6 +7787,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
</dl>
### NewsAndInterests policies
<dl>
<dd>
<a href="./policy-csp-newsandinterests.md#newsandinterests-allownewsandinterests" id="newsandinterests-allownewsandinterests">NewsAndInterests/AllowNewsAndInterests</a>
</dd>
</dl>
### Notifications policies
<dl>
@ -8179,6 +8198,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### RemoteDesktop policies
<dl>
<dd>
<a href="./policy-csp-remotedesktop.md#remotedesktop-autosubscription" id="remotedesktop-autosubscription">RemoteDesktop/AutoSubscription</a>
</dd>
<dd>
<a href="./policy-csp-remotedesktop.md#remotedesktop-loadaadcredkeyfromprofile" id="remotedesktop-loadaadcredkeyfromprofile">RemoteDesktop/LoadAadCredKeyFromProfile</a>
</dd>
</dl>
### RemoteDesktopServices policies
<dl>

4
windows/client-management/mdm/policy-csp-admx-errorreporting.md
View File

@ -1068,7 +1068,7 @@ If this policy setting is disabled or not configured, then the consent level def
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Default consent*
- GP Friendly name: *Configure Default consent*
- GP name: *WerDefaultConsent_1*
- GP path: *Windows Components\Windows Error Reporting\Consent*
- GP ADMX file name: *ErrorReporting.admx*
@ -1166,7 +1166,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disable Windows Error Reporting*
- GP Friendly name: *Disable Windows Error Reporting*
- GP name: *WerDisable_1*
- GP path: *Windows Components\Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*

52
windows/client-management/mdm/policy-csp-admx-icm.md
View File

@ -148,7 +148,7 @@ If you do not configure this policy setting, the administrator can use the Probl
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Windows Customer Experience Improvement Program*
- GP Friendly name: *Turn off Windows Customer Experience Improvement Program*
- GP name: *CEIPEnable*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -196,7 +196,7 @@ If you disable or do not configure this policy setting, your computer will conta
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Automatic Root Certificates Update*
- GP Friendly name: *Turn off Automatic Root Certificates Update*
- GP name: *CertMgr_DisableAutoRootUpdates*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -247,7 +247,7 @@ If you disable or do not configure this policy setting, users can choose to prin
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP Friendly name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -300,7 +300,7 @@ If you disable or do not configure this policy setting, users can download print
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP Friendly name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -353,7 +353,7 @@ Also see "Turn off Windows Update device driver search prompt" in "Administrativ
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Windows Update device driver searching*
- GP Friendly name: *Turn off Windows Update device driver searching*
- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -403,7 +403,7 @@ Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Comman
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Event Viewer "Events.asp" links*
- GP Friendly name: *Turn off Event Viewer "Events.asp" links*
- GP name: *EventViewer_DisableLinks*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -453,7 +453,7 @@ You might want to enable this policy setting for users who do not have Internet
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Help and Support Center "Did you know?" content*
- GP Friendly name: *Turn off Help and Support Center "Did you know?" content*
- GP name: *HSS_HeadlinesPolicy*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -501,7 +501,7 @@ If you disable or do not configure this policy setting, the Knowledge Base is se
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Help and Support Center Microsoft Knowledge Base search*
- GP Friendly name: *Turn off Help and Support Center Microsoft Knowledge Base search*
- GP name: *HSS_KBSearchPolicy*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -549,7 +549,7 @@ If you do not configure this policy setting, all of the the policy settings in t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict Internet communication*
- GP Friendly name: *Restrict Internet communication*
- GP name: *InternetManagement_RestrictCommunication_1*
- GP path: *System\Internet Communication Management*
- GP ADMX file name: *ICM.admx*
@ -596,7 +596,7 @@ If you do not configure this policy setting, all of the the policy settings in t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict Internet communication*
- GP Friendly name: *Restrict Internet communication*
- GP name: *InternetManagement_RestrictCommunication_2*
- GP path: *System\Internet Communication Management*
- GP ADMX file name: *ICM.admx*
@ -642,7 +642,7 @@ If you disable or do not configure this policy setting, users can connect to Mic
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com*
- GP Friendly name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com*
- GP name: *NC_ExitOnISP*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -690,7 +690,7 @@ Note that registration is optional and involves submitting some personal informa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Registration if URL connection is referring to Microsoft.com*
- GP Friendly name: *Turn off Registration if URL connection is referring to Microsoft.com*
- GP name: *NC_NoRegistration*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -742,7 +742,7 @@ Also see the "Configure Error Reporting", "Display Error Notification" and "Disa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Windows Error Reporting*
- GP Friendly name: *Turn off Windows Error Reporting*
- GP name: *PCH_DoNotReport*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -791,7 +791,7 @@ If you disable or do not configure this policy setting, users can access the Win
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off access to all Windows Update features*
- GP Friendly name: *Turn off access to all Windows Update features*
- GP name: *RemoveWindowsUpdate_ICM*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -842,7 +842,7 @@ If you disable or do not configure this policy setting, Search Companion downloa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Search Companion content file updates*
- GP Friendly name: *Turn off Search Companion content file updates*
- GP name: *SearchCompanion_DisableFileUpdates*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -890,7 +890,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet File Association service*
- GP Friendly name: *Turn off Internet File Association service*
- GP name: *ShellNoUseInternetOpenWith_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -938,7 +938,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet File Association service*
- GP Friendly name: *Turn off Internet File Association service*
- GP name: *ShellNoUseInternetOpenWith_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -986,7 +986,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off access to the Store*
- GP Friendly name: *Turn off access to the Store*
- GP name: *ShellNoUseStoreOpenWith_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1034,7 +1034,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off access to the Store*
- GP Friendly name: *Turn off access to the Store*
- GP name: *ShellNoUseStoreOpenWith_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1082,7 +1082,7 @@ See the documentation for the web publishing and online ordering wizards for mor
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1128,7 +1128,7 @@ If you disable or do not configure this policy setting, the task is displayed.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Order Prints" picture task*
- GP Friendly name: *Turn off the "Order Prints" picture task*
- GP name: *ShellRemoveOrderPrints_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1176,7 +1176,7 @@ If you disable or do not configure this policy setting, the task is displayed.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Order Prints" picture task*
- GP Friendly name: *Turn off the "Order Prints" picture task*
- GP name: *ShellRemoveOrderPrints_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1222,7 +1222,7 @@ If you enable this policy setting, these tasks are removed from the File and Fol
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Publish to Web" task for files and folders*
- GP Friendly name: *Turn off the "Publish to Web" task for files and folders*
- GP name: *ShellRemovePublishToWeb_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1270,7 +1270,7 @@ If you disable or do not configure this policy setting, the tasks are shown.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Publish to Web" task for files and folders*
- GP Friendly name: *Turn off the "Publish to Web" task for files and folders*
- GP name: *ShellRemovePublishToWeb_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1320,7 +1320,7 @@ If you disable this policy setting, Windows Messenger collects anonymous usage i
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP name: *WinMSG_NoInstrumentation_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1372,7 +1372,7 @@ If you do not configure this policy setting, users have the choice to opt in and
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP name: *WinMSG_NoInstrumentation_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*

6
windows/client-management/mdm/policy-csp-admx-iscsi.md
View File

@ -76,7 +76,7 @@ If disabled then new iSNS servers may be added and thus new targets discovered v
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow manual configuration of iSNS servers*
- GP Friendly name: *Do not allow manual configuration of iSNS servers*
- GP name: *iSCSIGeneral_RestrictAdditionalLogins*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
@ -119,7 +119,7 @@ If disabled then new target portals may be added and thus new targets discovered
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow manual configuration of target portals*
- GP Friendly name: *Do not allow manual configuration of target portals*
- GP name: *iSCSIGeneral_ChangeIQNName*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
@ -163,7 +163,7 @@ If disabled then the initiator CHAP secret may be changed.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow changes to initiator CHAP secret*
- GP Friendly name: *Do not allow changes to initiator CHAP secret*
- GP name: *iSCSISecurity_ChangeCHAPSecret*
- GP path: *System\iSCSI\iSCSI Security*
- GP ADMX file name: *iSCSI.admx*

12
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -113,7 +113,7 @@ Impact on domain controller performance when this policy setting is enabled:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *KDC support for claims, compound authentication and Kerberos armoring*
- GP Friendly name: *KDC support for claims, compound authentication and Kerberos armoring*
- GP name: *CbacAndArmor*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -161,7 +161,7 @@ To ensure consistent behavior, this policy setting must be supported and set ide
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use forest search order*
- GP Friendly name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -213,7 +213,7 @@ If you disable or not configure this policy setting, then the DC will never offe
<!--ADMXBacked-->
ADMX Info:
- GP English name: *KDC support for PKInit Freshness Extension*
- GP Friendly name: *KDC support for PKInit Freshness Extension*
- GP name: *PKINITFreshness*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -262,7 +262,7 @@ If you disable or do not configure this policy setting, domain controllers will
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Request compound authentication*
- GP Friendly name: *Request compound authentication*
- GP name: *RequestCompoundId*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -308,7 +308,7 @@ If you disable or do not configure this policy setting, the threshold value defa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Warning for large Kerberos tickets*
- GP Friendly name: *Warning for large Kerberos tickets*
- GP name: *TicketSizeThreshold*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -359,7 +359,7 @@ If you disable or do not configure this policy setting, the domain controller do
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Provide information about previous logons to client computers*
- GP Friendly name: *Provide information about previous logons to client computers*
- GP name: *emitlili*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*

16
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -95,7 +95,7 @@ If you disable or do not configure this policy setting and the resource domain r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always send compound authentication first*
- GP Friendly name: *Always send compound authentication first*
- GP name: *AlwaysSendCompoundId*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -148,7 +148,7 @@ If you do not configure this policy setting, Automatic will be used.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Support device authentication using certificate*
- GP Friendly name: *Support device authentication using certificate*
- GP name: *DevicePKInitEnabled*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -196,7 +196,7 @@ If you do not configure this policy setting, the system uses the host name-to-Ke
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define host name-to-Kerberos realm mappings*
- GP Friendly name: *Define host name-to-Kerberos realm mappings*
- GP name: *HostToRealm*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -243,7 +243,7 @@ If you disable or do not configure this policy setting, the Kerberos client enfo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers*
- GP Friendly name: *Disable revocation checking for the SSL certificate of KDC proxy servers*
- GP name: *KdcProxyDisableServerRevocationCheck*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -289,7 +289,7 @@ If you disable or do not configure this policy setting, the Kerberos client does
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify KDC proxy servers for Kerberos clients*
- GP Friendly name: *Specify KDC proxy servers for Kerberos clients*
- GP name: *KdcProxyServer*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -337,7 +337,7 @@ If you do not configure this policy setting, the system uses the interoperable K
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define interoperable Kerberos V5 realm settings*
- GP Friendly name: *Define interoperable Kerberos V5 realm settings*
- GP name: *MitRealms*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -391,7 +391,7 @@ If you do not configure this policy setting, Automatic will be used.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Support compound authentication*
- GP Friendly name: *Support compound authentication*
- GP name: *ServerAcceptsCompound*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -437,7 +437,7 @@ If you disable or do not configure this policy setting, any service is allowed t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require strict target SPN match on remote procedure calls*
- GP Friendly name: *Require strict target SPN match on remote procedure calls*
- GP name: *StrictTarget*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*

8
windows/client-management/mdm/policy-csp-admx-lanmanserver.md
View File

@ -96,7 +96,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Cipher suite order*
- GP Friendly name: *Cipher suite order*
- GP name: *Pol_CipherSuiteOrder*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -156,7 +156,7 @@ In circumstances where this policy setting is enabled, you can also select the f
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Hash Publication for BranchCache*
- GP Friendly name: *Hash Publication for BranchCache*
- GP name: *Pol_HashPublication*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -220,7 +220,7 @@ Hash version supported:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Hash Version support for BranchCache*
- GP Friendly name: *Hash Version support for BranchCache*
- GP name: *Pol_HashSupportVersion*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -269,7 +269,7 @@ If you disable or do not configure this policy setting, the SMB server will sele
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Honor cipher suite order*
- GP Friendly name: *Honor cipher suite order*
- GP name: *Pol_HonorCipherSuiteOrder*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*

6
windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
View File

@ -98,7 +98,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Cipher suite order*
- GP Friendly name: *Cipher suite order*
- GP name: *Pol_CipherSuiteOrder*
- GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx*
@ -147,7 +147,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Handle Caching on Continuous Availability Shares*
- GP Friendly name: *Handle Caching on Continuous Availability Shares*
- GP name: *Pol_EnableHandleCachingForCAFiles*
- GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx*
@ -196,7 +196,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Offline Files Availability on Continuous Availability Shares*
- GP Friendly name: *Offline Files Availability on Continuous Availability Shares*
- GP name: *Pol_EnableOfflineFilesforCAShares*
- GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx*

2
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
View File

@ -80,7 +80,7 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure custom alert text*
- GP Friendly name: *Configure custom alert text*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
- GP ADMX file name: *LeakDiagnostic.admx*

4
windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
View File

@ -76,7 +76,7 @@ If you disable or do not configure this policy setting, the default behavior of
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Mapper I/O (LLTDIO) driver*
- GP Friendly name: *Turn on Mapper I/O (LLTDIO) driver*
- GP name: *LLTD_EnableLLTDIO*
- GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*
@ -124,7 +124,7 @@ If you disable or do not configure this policy setting, the default behavior for
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Responder (RSPNDR) driver*
- GP Friendly name: *Turn on Responder (RSPNDR) driver*
- GP name: *LLTD_EnableRspndr*
- GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*

30
windows/client-management/mdm/policy-csp-admx-logon.md
View File

@ -113,7 +113,7 @@ If you disable or do not configure this policy setting, the user may choose to s
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Block user from showing account details on sign-in*
- GP Friendly name: *Block user from showing account details on sign-in*
- GP name: *BlockUserFromShowingAccountDetailsOnSignin*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -159,7 +159,7 @@ If you disable or do not configure this policy, the logon background image adopt
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Show clear logon background*
- GP Friendly name: *Show clear logon background*
- GP name: *DisableAcrylicBackgroundOnLogon*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -208,7 +208,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the legacy run list*
- GP Friendly name: *Do not process the legacy run list*
- GP name: *DisableExplorerRunLegacy_1*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -257,7 +257,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the legacy run list*
- GP Friendly name: *Do not process the legacy run list*
- GP name: *DisableExplorerRunLegacy_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -310,7 +310,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the run once list*
- GP Friendly name: *Do not process the run once list*
- GP name: *DisableExplorerRunOnceLegacy_1*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -363,7 +363,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the run once list*
- GP Friendly name: *Do not process the run once list*
- GP name: *DisableExplorerRunOnceLegacy_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -409,7 +409,7 @@ If you disable or do not configure this policy setting, the system displays the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove Boot / Shutdown / Logon / Logoff status messages*
- GP Friendly name: *Remove Boot / Shutdown / Logon / Logoff status messages*
- GP name: *DisableStatusMessages*
- GP path: *System*
- GP ADMX file name: *Logon.admx*
@ -455,7 +455,7 @@ If you disable or do not configure this policy setting, connected users will be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not enumerate connected users on domain-joined computers*
- GP Friendly name: *Do not enumerate connected users on domain-joined computers*
- GP name: *DontEnumerateConnectedUsers*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -511,7 +511,7 @@ This setting applies only to Windows. It does not affect the "Configure Your Ser
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not display the Getting Started welcome screen at logon*
- GP Friendly name: *Do not display the Getting Started welcome screen at logon*
- GP name: *NoWelcomeTips_1*
- GP path: *System*
- GP ADMX file name: *Logon.admx*
@ -566,7 +566,7 @@ If you disable or do not configure this policy, the welcome screen is displayed
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not display the Getting Started welcome screen at logon*
- GP Friendly name: *Do not display the Getting Started welcome screen at logon*
- GP name: *NoWelcomeTips_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -619,7 +619,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run these programs at user logon*
- GP Friendly name: *Run these programs at user logon*
- GP name: *Run_1*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -673,7 +673,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run these programs at user logon*
- GP Friendly name: *Run these programs at user logon*
- GP name: *Run_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -737,7 +737,7 @@ If you disable or do not configure this policy setting and users log on to a cli
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always wait for the network at computer startup and logon*
- GP Friendly name: *Always wait for the network at computer startup and logon*
- GP name: *SyncForegroundPolicy*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -783,7 +783,7 @@ If you disable or do not configure this policy setting, Windows uses the default
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always use custom logon background*
- GP Friendly name: *Always use custom logon background*
- GP name: *UseOEMBackground*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -834,7 +834,7 @@ If you disable or do not configure this policy setting, only the default status
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display highly detailed status messages*
- GP Friendly name: *Display highly detailed status messages*
- GP name: *VerboseStatus*
- GP path: *System*
- GP ADMX file name: *Logon.admx*

186
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -347,7 +347,7 @@ If you disable this setting, the antimalware service will load as a low priority
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow antimalware service to startup with normal priority*
- GP Friendly name: *Allow antimalware service to startup with normal priority*
- GP name: *AllowFastServiceStartup*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -397,7 +397,7 @@ Enabling or disabling this policy may lead to unexpected or unsupported behavior
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Microsoft Defender Antivirus*
- GP Friendly name: *Turn off Microsoft Defender Antivirus*
- GP name: *DisableAntiSpywareDefender*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -448,7 +448,7 @@ Same as Disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Auto Exclusions*
- GP Friendly name: *Turn off Auto Exclusions*
- GP name: *DisableAutoExclusions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -500,7 +500,7 @@ This feature requires these Policy settings to be set as follows:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure the 'Block at First Sight' feature*
- GP Friendly name: *Configure the 'Block at First Sight' feature*
- GP name: *DisableBlockAtFirstSeen*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx*
@ -546,7 +546,7 @@ If you disable this setting, only items defined by Policy will be used in the re
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local administrator merge behavior for lists*
- GP Friendly name: *Configure local administrator merge behavior for lists*
- GP name: *DisableLocalAdminMerge*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -594,7 +594,7 @@ If you disable or do not configure this policy setting, Microsoft Defender Antiv
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off real-time protection*
- GP Friendly name: *Turn off real-time protection*
- GP name: *DisableRealtimeMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -640,7 +640,7 @@ If you disable or do not configure this policy setting, Microsoft Defender Antiv
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off routine remediation*
- GP Friendly name: *Turn off routine remediation*
- GP name: *DisableRoutinelyTakingAction*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -682,7 +682,7 @@ This policy setting allows you specify a list of file types that should be exclu
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Extension Exclusions*
- GP Friendly name: *Extension Exclusions*
- GP name: *Exclusions_Extensions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -726,7 +726,7 @@ As an example, a path might be defined as: "c:\Windows" to exclude all files in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Path Exclusions*
- GP Friendly name: *Path Exclusions*
- GP name: *Exclusions_Paths*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -768,7 +768,7 @@ This policy setting allows you to disable scheduled and real-time scanning for a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Process Exclusions*
- GP Friendly name: *Process Exclusions*
- GP name: *Exclusions_Processes*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -825,7 +825,7 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Exclude files and paths from Attack Surface Reduction Rules*
- GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules*
- GP name: *ExploitGuard_ASR_ASROnlyExclusions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
- GP ADMX file name: *WindowsDefender.admx*
@ -898,7 +898,7 @@ You can exclude folders or files in the "Exclude files and paths from Attack Sur
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Attack Surface Reduction rules*
- GP Friendly name: *Configure Attack Surface Reduction rules*
- GP name: *ExploitGuard_ASR_Rules*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
- GP ADMX file name: *WindowsDefender.admx*
@ -957,7 +957,7 @@ Default system folders are automatically guarded, but you can add folders in the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure allowed applications*
- GP Friendly name: *Configure allowed applications*
- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
- GP ADMX file name: *WindowsDefender.admx*
@ -1017,7 +1017,7 @@ Microsoft Defender Antivirus automatically determines which applications can be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure protected folders*
- GP Friendly name: *Configure protected folders*
- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
- GP ADMX file name: *WindowsDefender.admx*
@ -1068,7 +1068,7 @@ Same as Disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable file hash computation feature*
- GP Friendly name: *Enable file hash computation feature*
- GP name: *MpEngine_EnableFileHashComputation*
- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine*
- GP ADMX file name: *WindowsDefender.admx*
@ -1114,7 +1114,7 @@ If you disable this setting, definition retirement will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on definition retirement*
- GP Friendly name: *Turn on definition retirement*
- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx*
@ -1156,7 +1156,7 @@ This policy setting defines additional definition sets to enable for network tra
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify additional definition sets for network traffic inspection*
- GP Friendly name: *Specify additional definition sets for network traffic inspection*
- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx*
@ -1202,7 +1202,7 @@ If you disable this setting, protocol recognition will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on protocol recognition*
- GP Friendly name: *Turn on protocol recognition*
- GP name: *Nis_DisableProtocolRecognition*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx*
@ -1248,7 +1248,7 @@ If you disable or do not configure this setting, the proxy server will not be by
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define addresses to bypass proxy server*
- GP Friendly name: *Define addresses to bypass proxy server*
- GP name: *ProxyBypass*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1300,7 +1300,7 @@ If you disable or do not configure this setting, the proxy will skip over this f
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define proxy auto-config (.pac) for connecting to the network*
- GP Friendly name: *Define proxy auto-config (.pac) for connecting to the network*
- GP name: *ProxyPacUrl*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1352,7 +1352,7 @@ If you disable or do not configure this setting, the proxy will skip over this f
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define proxy server for connecting to the network*
- GP Friendly name: *Define proxy server for connecting to the network*
- GP name: *ProxyServer*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1398,7 +1398,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for the removal of items from Quarantine folder*
- GP Friendly name: *Configure local setting override for the removal of items from Quarantine folder*
- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
- GP ADMX file name: *WindowsDefender.admx*
@ -1444,7 +1444,7 @@ If you disable or do not configure this setting, items will be kept in the quara
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure removal of items from Quarantine folder*
- GP Friendly name: *Configure removal of items from Quarantine folder*
- GP name: *Quarantine_PurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
- GP ADMX file name: *WindowsDefender.admx*
@ -1490,7 +1490,7 @@ If you disable this setting, scheduled tasks will begin at the specified start t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Randomize scheduled task times*
- GP Friendly name: *Randomize scheduled task times*
- GP name: *RandomizeScheduleTaskTimes*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1536,7 +1536,7 @@ If you disable this setting, behavior monitoring will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on behavior monitoring*
- GP Friendly name: *Turn on behavior monitoring*
- GP name: *RealtimeProtection_DisableBehaviorMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1582,7 +1582,7 @@ If you disable this setting, scanning for all downloaded files and attachments w
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan all downloaded files and attachments*
- GP Friendly name: *Scan all downloaded files and attachments*
- GP name: *RealtimeProtection_DisableIOAVProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1628,7 +1628,7 @@ If you disable this setting, monitoring for file and program activity will be di
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Monitor file and program activity on your computer*
- GP Friendly name: *Monitor file and program activity on your computer*
- GP name: *RealtimeProtection_DisableOnAccessProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1674,7 +1674,7 @@ If you disable this setting, raw write notifications be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on raw volume write notifications*
- GP Friendly name: *Turn on raw volume write notifications*
- GP name: *RealtimeProtection_DisableRawWriteNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1720,7 +1720,7 @@ If you disable this setting, a process scan will not be initiated when real-time
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on process scanning whenever real-time protection is enabled*
- GP Friendly name: *Turn on process scanning whenever real-time protection is enabled*
- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1766,7 +1766,7 @@ If you disable or do not configure this setting, a default size will be applied.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the maximum size of downloaded files and attachments to be scanned*
- GP Friendly name: *Define the maximum size of downloaded files and attachments to be scanned*
- GP name: *RealtimeProtection_IOAVMaxSize*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1812,7 +1812,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for turn on behavior monitoring*
- GP Friendly name: *Configure local setting override for turn on behavior monitoring*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1858,7 +1858,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for scanning all downloaded files and attachments*
- GP Friendly name: *Configure local setting override for scanning all downloaded files and attachments*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1904,7 +1904,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for monitoring file and program activity on your computer*
- GP Friendly name: *Configure local setting override for monitoring file and program activity on your computer*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1950,7 +1950,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override to turn on real-time protection*
- GP Friendly name: *Configure local setting override to turn on real-time protection*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1996,7 +1996,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for monitoring for incoming and outgoing file activity*
- GP Friendly name: *Configure local setting override for monitoring for incoming and outgoing file activity*
- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -2042,7 +2042,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation*
- GP Friendly name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation*
- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx*
@ -2100,7 +2100,7 @@ If you disable or do not configure this setting, a scheduled full scan to comple
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the day of the week to run a scheduled full scan to complete remediation*
- GP Friendly name: *Specify the day of the week to run a scheduled full scan to complete remediation*
- GP name: *Remediation_Scan_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx*
@ -2146,7 +2146,7 @@ If you disable or do not configure this setting, a scheduled full scan to comple
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the time of day to run a scheduled full scan to complete remediation*
- GP Friendly name: *Specify the time of day to run a scheduled full scan to complete remediation*
- GP name: *Remediation_Scan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx*
@ -2188,7 +2188,7 @@ This policy setting configures the time in minutes before a detection in the "ad
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections requiring additional action*
- GP Friendly name: *Configure time out for detections requiring additional action*
- GP name: *Reporting_AdditionalActionTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2230,7 +2230,7 @@ This policy setting configures the time in minutes before a detection in the “
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections in critically failed state*
- GP Friendly name: *Configure time out for detections in critically failed state*
- GP name: *Reporting_CriticalFailureTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2276,7 +2276,7 @@ If you enable this setting, Microsoft Defender Antivirus enhanced notifications
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off enhanced notifications*
- GP Friendly name: *Turn off enhanced notifications*
- GP name: *Reporting_DisableEnhancedNotifications*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2321,7 +2321,7 @@ If you disable this setting, Watson events will not be sent.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Watson events*
- GP Friendly name: *Configure Watson events*
- GP name: *Reporting_Disablegenericreports*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2363,7 +2363,7 @@ This policy setting configures the time in minutes before a detection in the "no
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections in non-critical failed state*
- GP Friendly name: *Configure time out for detections in non-critical failed state*
- GP name: *Reporting_NonCriticalTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2403,7 +2403,7 @@ This policy setting configures the time in minutes before a detection in the "co
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections in recently remediated state*
- GP Friendly name: *Configure time out for detections in recently remediated state*
- GP name: *Reporting_RecentlyCleanedTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2445,7 +2445,7 @@ This policy configures Windows software trace preprocessor (WPP Software Tracing
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Windows software trace preprocessor components*
- GP Friendly name: *Configure Windows software trace preprocessor components*
- GP name: *Reporting_WppTracingComponents*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2494,7 +2494,7 @@ Tracing levels are defined as:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure WPP tracing level*
- GP Friendly name: *Configure WPP tracing level*
- GP name: *Reporting_WppTracingLevel*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2540,7 +2540,7 @@ If you disable this setting, users will not be able to pause scans.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow users to pause scan*
- GP Friendly name: *Allow users to pause scan*
- GP name: *Scan_AllowPause*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2586,7 +2586,7 @@ If you disable or do not configure this setting, archive files will be scanned t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the maximum depth to scan archive files*
- GP Friendly name: *Specify the maximum depth to scan archive files*
- GP name: *Scan_ArchiveMaxDepth*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2632,7 +2632,7 @@ If you disable or do not configure this setting, archive files will be scanned a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the maximum size of archive files to be scanned*
- GP Friendly name: *Specify the maximum size of archive files to be scanned*
- GP name: *Scan_ArchiveMaxSize*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2679,7 +2679,7 @@ If you disable this setting, archive files will not be scanned.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan archive files*
- GP Friendly name: *Scan archive files*
- GP name: *Scan_DisableArchiveScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2725,7 +2725,7 @@ If you disable or do not configure this setting, e-mail scanning will be disable
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on e-mail scanning*
- GP Friendly name: *Turn on e-mail scanning*
- GP name: *Scan_DisableEmailScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2771,7 +2771,7 @@ If you disable this setting, heuristics will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on heuristics*
- GP Friendly name: *Turn on heuristics*
- GP name: *Scan_DisableHeuristics*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2817,7 +2817,7 @@ If you disable this setting, packed executables will not be scanned.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan packed executables*
- GP Friendly name: *Scan packed executables*
- GP name: *Scan_DisablePackedExeScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2863,7 +2863,7 @@ If you disable or do not configure this setting, removable drives will not be sc
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan removable drives*
- GP Friendly name: *Scan removable drives*
- GP name: *Scan_DisableRemovableDriveScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2909,7 +2909,7 @@ If you disable or do not configure this setting, reparse point scanning will be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on reparse point scanning*
- GP Friendly name: *Turn on reparse point scanning*
- GP name: *Scan_DisableReparsePointScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2955,7 +2955,7 @@ If you disable or do not configure this setting, a system restore point will not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Create a system restore point*
- GP Friendly name: *Create a system restore point*
- GP name: *Scan_DisableRestorePoint*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3000,7 +3000,7 @@ If you disable or do not configure this setting, mapped network drives will not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run full scan on mapped network drives*
- GP Friendly name: *Run full scan on mapped network drives*
- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3046,7 +3046,7 @@ If you disable or do not configure this setting, network files will not be scann
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan network files*
- GP Friendly name: *Scan network files*
- GP name: *Scan_DisableScanningNetworkFiles*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3092,7 +3092,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for maximum percentage of CPU utilization*
- GP Friendly name: *Configure local setting override for maximum percentage of CPU utilization*
- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3138,7 +3138,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for the scan type to use for a scheduled scan*
- GP Friendly name: *Configure local setting override for the scan type to use for a scheduled scan*
- GP name: *Scan_LocalSettingOverrideScanParameters*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3184,7 +3184,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for schedule scan day*
- GP Friendly name: *Configure local setting override for schedule scan day*
- GP name: *Scan_LocalSettingOverrideScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3230,7 +3230,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for scheduled quick scan time*
- GP Friendly name: *Configure local setting override for scheduled quick scan time*
- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3276,7 +3276,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for scheduled scan time*
- GP Friendly name: *Configure local setting override for scheduled scan time*
- GP name: *Scan_LocalSettingOverrideScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3322,7 +3322,7 @@ If you disable or do not configure this setting, not changes will be made to CPU
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure low CPU priority for scheduled scans*
- GP Friendly name: *Configure low CPU priority for scheduled scans*
- GP name: *Scan_LowCpuPriority*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3368,7 +3368,7 @@ If you disable or do not configure this setting, a catch-up scan will occur afte
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days after which a catch-up scan is forced*
- GP Friendly name: *Define the number of days after which a catch-up scan is forced*
- GP name: *Scan_MissedScheduledScanCountBeforeCatchup*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3414,7 +3414,7 @@ If you disable or do not configure this setting, items will be kept in the scan
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on removal of items from scan history folder*
- GP Friendly name: *Turn on removal of items from scan history folder*
- GP name: *Scan_PurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3460,7 +3460,7 @@ If you disable or do not configure this setting, a quick scan will run at a defa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the interval to run quick scans per day*
- GP Friendly name: *Specify the interval to run quick scans per day*
- GP name: *Scan_QuickScanInterval*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3506,7 +3506,7 @@ If you disable this setting, scheduled scans will run at the scheduled time.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Start the scheduled scan only when computer is on but not in use*
- GP Friendly name: *Start the scheduled scan only when computer is on but not in use*
- GP name: *Scan_ScanOnlyIfIdle*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3564,7 +3564,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the day of the week to run a scheduled scan*
- GP Friendly name: *Specify the day of the week to run a scheduled scan*
- GP name: *Scan_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3610,7 +3610,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the time of day to run a scheduled scan*
- GP Friendly name: *Specify the time of day to run a scheduled scan*
- GP name: *Scan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3656,7 +3656,7 @@ If you disable or do not configure this setting, the antimalware service will be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow antimalware service to remain running always*
- GP Friendly name: *Allow antimalware service to remain running always*
- GP name: *ServiceKeepAlive*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -3704,7 +3704,7 @@ If you disable or do not configure this setting, spyware security intelligence w
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days before spyware security intelligence is considered out of date*
- GP Friendly name: *Define the number of days before spyware security intelligence is considered out of date*
- GP name: *SignatureUpdate_ASSignatureDue*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3750,7 +3750,7 @@ If you disable or do not configure this setting, virus security intelligence wil
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days before virus security intelligence is considered out of date*
- GP Friendly name: *Define the number of days before virus security intelligence is considered out of date*
- GP name: *SignatureUpdate_AVSignatureDue*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3796,7 +3796,7 @@ If you disable or do not configure this setting, the list will remain empty by d
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define file shares for downloading security intelligence updates*
- GP Friendly name: *Define file shares for downloading security intelligence updates*
- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3842,7 +3842,7 @@ If you disable this setting, a scan will not start following a security intellig
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on scan after security intelligence update*
- GP Friendly name: *Turn on scan after security intelligence update*
- GP name: *SignatureUpdate_DisableScanOnUpdate*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3888,7 +3888,7 @@ If you disable this setting, security intelligence updates will be turned off wh
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow security intelligence updates when running on battery power*
- GP Friendly name: *Allow security intelligence updates when running on battery power*
- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3934,7 +3934,7 @@ If you disable this setting, security intelligence updates will not be initiated
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Initiate security intelligence update on startup*
- GP Friendly name: *Initiate security intelligence update on startup*
- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3982,7 +3982,7 @@ If you disable or do not configure this setting, security intelligence update so
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the order of sources for downloading security intelligence updates*
- GP Friendly name: *Define the order of sources for downloading security intelligence updates*
- GP name: *SignatureUpdate_FallbackOrder*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4028,7 +4028,7 @@ If you disable or do not configure this setting, security intelligence updates w
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow security intelligence updates from Microsoft Update*
- GP Friendly name: *Allow security intelligence updates from Microsoft Update*
- GP name: *SignatureUpdate_ForceUpdateFromMU*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4074,7 +4074,7 @@ If you disable this setting, real-time security intelligence updates will disabl
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS*
- GP Friendly name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS*
- GP name: *SignatureUpdate_RealtimeSignatureDelivery*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4132,7 +4132,7 @@ If you disable or do not configure this setting, the check for security intellig
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the day of the week to check for security intelligence updates*
- GP Friendly name: *Specify the day of the week to check for security intelligence updates*
- GP name: *SignatureUpdate_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4178,7 +4178,7 @@ If you disable or do not configure this setting, the check for security intelli
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the time to check for security intelligence updates*
- GP Friendly name: *Specify the time to check for security intelligence updates*
- GP name: *SignatureUpdate_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4222,7 +4222,7 @@ If you disable or do not configure this setting, security intelligence will be r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define security intelligence location for VDI clients.*
- GP Friendly name: *Define security intelligence location for VDI clients.*
- GP name: *SignatureUpdate_SharedSignaturesLocation*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4268,7 +4268,7 @@ If you disable this setting, the antimalware service will not receive notificati
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS*
- GP Friendly name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS*
- GP name: *SignatureUpdate_SignatureDisableNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4314,7 +4314,7 @@ If you disable or do not configure this setting, a catch-up security intelligenc
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days after which a catch-up security intelligence update is required*
- GP Friendly name: *Define the number of days after which a catch-up security intelligence update is required*
- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4360,7 +4360,7 @@ If you disable this setting or do not configure this setting, a check for new se
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Check for the latest virus and spyware security intelligence on startup*
- GP Friendly name: *Check for the latest virus and spyware security intelligence on startup*
- GP name: *SignatureUpdate_UpdateOnStartup*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4420,7 +4420,7 @@ In Windows 10, Basic membership is no longer available, so setting the value to
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Join Microsoft MAPS*
- GP Friendly name: *Join Microsoft MAPS*
- GP name: *SpynetReporting*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx*
@ -4466,7 +4466,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for reporting to Microsoft MAPS*
- GP Friendly name: *Configure local setting override for reporting to Microsoft MAPS*
- GP name: *Spynet_LocalSettingOverrideSpynetReporting*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx*
@ -4515,7 +4515,7 @@ Valid remediation action values are:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify threats upon which default action should not be taken when detected*
- GP Friendly name: *Specify threats upon which default action should not be taken when detected*
- GP name: *Threats_ThreatIdDefaultAction*
- GP path: *Windows Components\Microsoft Defender Antivirus\Threats*
- GP ADMX file name: *WindowsDefender.admx*
@ -4561,7 +4561,7 @@ If you disable or do not configure this setting, there will be no additional tex
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display additional text to clients when they need to perform an action*
- GP Friendly name: *Display additional text to clients when they need to perform an action*
- GP name: *UX_Configuration_CustomDefaultActionToastString*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*
@ -4607,7 +4607,7 @@ If you enable this setting, Microsoft Defender Antivirus notifications will not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Suppress all notifications*
- GP Friendly name: *Suppress all notifications*
- GP name: *UX_Configuration_Notification_Suppress*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*
@ -4651,7 +4651,7 @@ If you enable this setting AM UI won't show reboot notifications.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Suppresses reboot notifications*
- GP Friendly name: *Suppresses reboot notifications*
- GP name: *UX_Configuration_SuppressRebootNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*
@ -4695,7 +4695,7 @@ If you enable this setting AM UI won't be available to users.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable headless UI mode*
- GP Friendly name: *Enable headless UI mode*
- GP name: *UX_Configuration_UILockdown*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*

10
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -93,7 +93,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *ActiveX Control*
- GP Friendly name: *ActiveX Control*
- GP name: *MMC_ActiveXControl*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx*
@ -149,7 +149,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Extended View (Web View)*
- GP Friendly name: *Extended View (Web View)*
- GP name: *MMC_ExtendView*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMC.admx*
@ -205,7 +205,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Link to Web Address*
- GP Friendly name: *Link to Web Address*
- GP name: *MMC_LinkToWeb*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx*
@ -255,7 +255,7 @@ If you disable this setting or do not configure it, users can enter author mode
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict the user from entering author mode*
- GP Friendly name: *Restrict the user from entering author mode*
- GP name: *MMC_Restrict_Author*
- GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx*
@ -310,7 +310,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict users to the explicitly permitted list of snap-ins*
- GP Friendly name: *Restrict users to the explicitly permitted list of snap-ins*
- GP name: *MMC_Restrict_To_Permitted_Snapins*
- GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx*

48
windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
View File

@ -4774,7 +4774,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Settings*
- GP Friendly name: *Security Settings*
- GP name: *MMC_SecuritySettings_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -4828,7 +4828,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Settings*
- GP Friendly name: *Security Settings*
- GP name: *MMC_SecuritySettings_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -4882,7 +4882,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Templates*
- GP Friendly name: *Security Templates*
- GP name: *MMC_SecurityTemplates*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4936,7 +4936,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Send Console Message*
- GP Friendly name: *Send Console Message*
- GP name: *MMC_SendConsoleMessage*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4990,7 +4990,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Server Manager*
- GP Friendly name: *Server Manager*
- GP name: *MMC_ServerManager*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5044,7 +5044,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Service Dependencies*
- GP Friendly name: *Service Dependencies*
- GP name: *MMC_ServiceDependencies*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5098,7 +5098,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Services*
- GP Friendly name: *Services*
- GP name: *MMC_Services*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5152,7 +5152,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Shared Folders*
- GP Friendly name: *Shared Folders*
- GP name: *MMC_SharedFolders*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5206,7 +5206,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Shared Folders Ext*
- GP Friendly name: *Shared Folders Ext*
- GP name: *MMC_SharedFolders_Ext*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5260,7 +5260,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Computers)*
- GP Friendly name: *Software Installation (Computers)*
- GP name: *MMC_SoftwareInstalationComputers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5314,7 +5314,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Computers)*
- GP Friendly name: *Software Installation (Computers)*
- GP name: *MMC_SoftwareInstalationComputers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5368,7 +5368,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Users)*
- GP Friendly name: *Software Installation (Users)*
- GP name: *MMC_SoftwareInstallationUsers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5422,7 +5422,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Users)*
- GP Friendly name: *Software Installation (Users)*
- GP name: *MMC_SoftwareInstallationUsers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5476,7 +5476,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *System Information*
- GP Friendly name: *System Information*
- GP name: *MMC_SysInfo*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5530,7 +5530,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *System Properties*
- GP Friendly name: *System Properties*
- GP name: *MMC_SysProp*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5584,7 +5584,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *TPM Management*
- GP Friendly name: *TPM Management*
- GP name: *MMC_TPMManagement*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5638,7 +5638,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Telephony*
- GP Friendly name: *Telephony*
- GP name: *MMC_Telephony*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5692,7 +5692,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remote Desktop Services Configuration*
- GP Friendly name: *Remote Desktop Services Configuration*
- GP name: *MMC_TerminalServices*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5746,7 +5746,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *WMI Control*
- GP Friendly name: *WMI Control*
- GP name: *MMC_WMI*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5800,7 +5800,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Windows Firewall with Advanced Security*
- GP Friendly name: *Windows Firewall with Advanced Security*
- GP name: *MMC_WindowsFirewall*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5854,7 +5854,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Windows Firewall with Advanced Security*
- GP Friendly name: *Windows Firewall with Advanced Security*
- GP name: *MMC_WindowsFirewall_GP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5908,7 +5908,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wired Network (IEEE 802.3) Policies*
- GP Friendly name: *Wired Network (IEEE 802.3) Policies*
- GP name: *MMC_WiredNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5962,7 +5962,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wireless Monitor*
- GP Friendly name: *Wireless Monitor*
- GP name: *MMC_WirelessMon*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6016,7 +6016,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wireless Network (IEEE 802.11) Policies*
- GP Friendly name: *Wireless Network (IEEE 802.11) Policies*
- GP name: *MMC_WirelessNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*

2
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -183,7 +183,7 @@ If you do not configure this policy setting, Windows does not call the registere
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Notify antivirus programs when opening attachments*
- GP Friendly name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*

3
windows/client-management/mdm/policy-csp-browser.md
View File

@ -15,7 +15,8 @@ ms.localizationpriority: medium
# Policy CSP - Browser
> [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/).
> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm).
<!--Policies-->
## Browser policies

54
windows/client-management/mdm/policy-csp-defender.md
View File

@ -128,6 +128,9 @@ ms.collection: highpri
<dd>
<a href="#defender-schedulescantime">Defender/ScheduleScanTime</a>
</dd>
<dd>
<a href="#defender-securityintelligencelocation">Defender/SecurityIntelligenceLocation</a>
</dd>
<dd>
<a href="#defender-signatureupdatefallbackorder">Defender/SignatureUpdateFallbackOrder</a>
</dd>
@ -2063,6 +2066,57 @@ Valid values: 01380.
<hr/>
<!--Policy-->
<a href="" id="defender-securityintelligencelocation"></a>**Defender/SecurityIntelligenceLocation**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to define the security intelligence location for VDI-configured computers.
If you disable or do not configure this setting, security intelligence will be referred from the default local source.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Define security intelligence location for VDI clients*
- GP name: *SecurityIntelligenceLocation*
- GP element: *SecurityIntelligenceLocation*
- GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
- Empty string - no policy is set
- Non-empty string - the policy is set and security intelligence is gathered from the location
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-signatureupdatefallbackorder"></a>**Defender/SignatureUpdateFallbackOrder**

77
windows/client-management/mdm/policy-csp-experience.md
View File

@ -40,9 +40,15 @@ manager: dansimp
<dd>
<a href="#experience-allowsaveasofofficefiles">Experience/AllowSaveAsOfOfficeFiles</a>
</dd>
<dd>
<a href="#experience-allowscreencapture">Experience/AllowScreenCapture</a>
</dd>
<dd>
<a href="#experience-allowsharingofofficefiles">Experience/AllowSharingOfOfficeFiles</a>
</dd>
<dd>
<a href="#experience-allowsimerrordialogpromptwhennosim">Experience/AllowSIMErrorDialogPromptWhenNoSIM</a>
</dd>
<dd>
<a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd>
@ -362,6 +368,43 @@ This policy is deprecated.
<hr/>
<!--Policy-->
<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
Describe what value are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-allowsharingofofficefiles"></a>**Experience/AllowSharingOfOfficeFiles**
@ -371,6 +414,40 @@ This policy is deprecated.
<!--/Description-->
<!--/Policy-->
<!--Policy-->
<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
Describes what value are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->

59
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -212,6 +212,9 @@ manager: dansimp
<dd>
<a href="#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains">InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains</a>
</dd>
<dd>
<a href="#internetexplorer-enableextendediemodehotkeys">InternetExplorer/EnableExtendedIEModeHotkeys</a>
</dd>
<dd>
<a href="#internetexplorer-includealllocalsites">InternetExplorer/IncludeAllLocalSites</a>
</dd>
@ -1953,7 +1956,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information:
@ -4270,6 +4273,58 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-enableextendediemodehotkeys"></a>**InternetExplorer/EnableExtendedIEModeHotkeys**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as "Ctrl+S" to have "Save as" functionality.
- If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer.
- If you disable, or don't configure this policy, extended hotkeys will not work in Internet Explorer mode.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled.
- 1 - Enabled.
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allows enterprises to provide their users with a single-browser experience*
- GP name: *EnableExtendedIEModeHotkeys*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-includealllocalsites"></a>**InternetExplorer/IncludeAllLocalSites**
@ -13951,4 +14006,4 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->

55
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -24,6 +24,9 @@ manager: dansimp
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
</dd>
<dd>
<a href="#kerberos-cloudkerberosticketretrievalenabled">Kerberos/CloudKerberosTicketRetrievalEnabled</a>
</dd>
<dd>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
</dd>
@ -100,6 +103,58 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="kerberos-cloudkerberosticketretrievalenabled"></a>**Kerberos/CloudKerberosTicketRetrievalEnabled**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows retrieving the cloud Kerberos ticket during the logon.
- If you disable (0) or do not configure this policy setting, the cloud Kerberos ticket is not retrieved during the logon.
- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the logon.
<!--/Description-->
<!--SupportedValues-->
Valid values:
0 (default) - Disabled.
1 - Enabled.
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow retrieving the cloud Kerberos ticket during the logon*
- GP name: *CloudKerberosTicketRetrievalEnabled*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**

51
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -25,6 +25,8 @@ manager: dansimp
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd> <dd>
<a href="#localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
@ -272,8 +274,55 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This setting allows the administrator to enable the guest Administrator account.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP Friendly name: *Accounts: Enable Guest Account Status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - disabled (local Administrator account is disabled).
- 1 - enabled (local Administrator account is enabled).
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
<!--SupportedSKUs-->

117
windows/client-management/mdm/policy-csp-memorydump.md Normal file
View File

@ -0,0 +1,117 @@
---
title: Policy CSP - MemoryDump
description: Use the Policy CSP
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - MemoryDump
<hr/>
<!--Policies-->
## MemoryDump policies
<dl>
<dd>
<a href="#memorydump-allowcrashdump">MemoryDump/AllowCrashDump</a>
</dd>
<dd>
<a href="#memorydump-allowlivedump">MemoryDump/AllowLiveDump</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="memorydump-allowcrashdump"></a>**MemoryDump/AllowCrashDump**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting decides if crash dump collection on the machine is allowed or not.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disable crash dump collection.
- 1 (default) - Allow crash dump collection.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="memorydump-allowlivedump"></a>**MemoryDump/AllowLiveDump**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting decides if crash dump collection on the machine is allowed or not.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disable crash dump collection.
- 1 (default) - Allow crash dump collection.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

180
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 10/12/2021
ms.date: 1/31/2022
ms.reviewer:
manager: dansimp
---
@ -29,12 +29,21 @@ manager: dansimp
<dd>
<a href="#mixedreality-brightnessbuttondisabled">MixedReality/BrightnessButtonDisabled</a>
</dd>
<dd>
<a href="#mixedreality-configuremovingplatform">MixedReality/ConfigureMovingPlatform</a>
</dd>
<dd>
<a href="#mixedreality-fallbackdiagnostics">MixedReality/FallbackDiagnostics</a>
</dd>
<dd>
<a href="#mixedreality-headtrackingmode">MixedReality/HeadTrackingMode/a>
</dd>
<dd>
<a href="#mixedreality-microphonedisabled">MixedReality/MicrophoneDisabled</a>
</dd>
<dd>
<a href="#mixedreality-visitorautologon">MixedReality/VisitorAutoLogon</a>
</dd>
<dd>
<a href="#mixedreality-volumebuttondisabled">MixedReality/VolumeButtonDisabled</a>
</dd>
@ -49,8 +58,8 @@ manager: dansimp
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
Steps to use this policy correctly:
@ -62,7 +71,7 @@ Steps to use this policy correctly:
1. Enroll HoloLens devices and verify both configurations get applied to the device.
1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
> [!NOTE]
> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
@ -77,22 +86,23 @@ Steps to use this policy correctly:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/Description-->
This new AutoLogonUser policy controls whether a user will be automatically logged on. Some customers want to set up devices that are tied to an identity but don't want any sign in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up login.
When the policy is set to a non-empty value, it specifies the email address of the auto log on user. The specified user must logon to the device at least once to enable autologon.
When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must logon to the device at least once to enable autologon.
The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser`
<!--SupportedValues-->
String value
- User with the same email address will have autologon enabled.
On a device where this policy is configured, the user specified in the policy will need to log on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log on as a different user, the policy must first be disabled.
On a device where this policy is configured, the user specified in the policy will need to log-on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log-on as a different user, the policy must first be disabled.
> [!NOTE]
>
@ -120,6 +130,8 @@ This policy setting controls for how many days Azure AD group membership cache i
<!--/ADMXBacked-->
<!--SupportedValues-->
- Integer value
Supported values are 0-60. The default value is 0 (day) and maximum value is 60 (days).
<!--/SupportedValues-->
@ -133,8 +145,8 @@ Supported values are 0-60. The default value is 0 (day) and maximum value is 60
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -158,6 +170,8 @@ This policy setting controls if pressing the brightness button changes the brigh
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - False (Default)
@ -167,6 +181,48 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-configuremovingplatform"></a>**MixedReality/ConfigureMovingPlatform**
<!--SupportedSKUs-->
|Windows Edition|Supported|
|--- |--- |
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it is turned off / on or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:).
<!--/Description-->
<!--ADMXBacked-->
<!--/ADMXBacked-->
<!--SupportedValues-->
- Integer value
- 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system.
- 1 Force off - Moving platform is disabled and cannot be changed by user.
- 2 Force on - Moving platform is enabled and cannot be changed by user.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-fallbackdiagnostics"></a>**MixedReality/FallbackDiagnostics**
@ -174,8 +230,8 @@ The following list shows the supported values:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -199,6 +255,8 @@ This policy setting controls when and if diagnostic logs can be collected using
<!--/ADMXBacked-->
<!--SupportedValues-->
- Integer value
The following list shows the supported values:
- 0 - Disabled
@ -209,6 +267,49 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-headtrackingmode"></a>**MixedReality/HeadTrackingMode**
<!--SupportedSKUs-->
|Windows Edition|Supported|
|--- |--- |
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy configures behavior of HUP to determine, which algorithm to use for head tracking. It requires a reboot for the policy to take effect.
<!--/Description-->
<!--ADMXBacked-->
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - Feature Default feature based / SLAM-based tracker (Default)
- 1 - Constellation LR constellation based tracker
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-microphonedisabled"></a>**MixedReality/MicrophoneDisabled**
@ -216,8 +317,8 @@ The following list shows the supported values:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -241,6 +342,8 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - False (Default)
@ -257,8 +360,8 @@ The following list shows the supported values:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -282,6 +385,8 @@ This policy setting controls if pressing the volume button changes the volume or
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - False (Default)
@ -291,4 +396,47 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-visitorautologon"></a>**MixedReality/VisitorAutoLogon**
<!--SupportedSKUs-->
|Windows Edition|Supported|
|--- |--- |
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in if no other user has logged in on the device before.
<!--/Description-->
<!--ADMXBacked-->
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 Disabled (Default)
- 1 Enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

86
windows/client-management/mdm/policy-csp-newsandinterests.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Policy CSP - NewsAndInterests
description: Learn how Policy CSP - NewsandInterests contains a list of news and interests.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - NewsAndInterests
<hr/>
<!--Policies-->
## NewsAndInterests policies
<dl>
<dd>
<a href="#newsandinterests-allownewsandinterests">NewsAndInterests/AllowNewsAndInterests</a>
</dd>
<hr/>
<!--Policy-->
<a href="" id="newsandinterests-allownewsandinterests"></a>**NewsAndInterests/AllowNewsAndInterests**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether to allow the entire widgets experience, including the content on taskbar.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 1 - Default - Allowed
- 0 - Not allowed.
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specifies whether to allow the entire widgets experience, including the content on taskbar*.
- GP name: *AllowNewsAndInterests*
- GP path: *Network/NewsandInterests*
- GP ADMX file name: *NewsandInterests.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--/Policies-->

302
windows/client-management/mdm/policy-csp-printers.md
View File

@ -22,6 +22,18 @@ manager: dansimp
## Printers policies
<dl>
<dd>
<a href="#printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
</dd>
<dd>
<a href="#printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
</dd>
<dd>
<a href="#printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
</dd>
<dd>
<a href="#printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
</dd>
<dd>
<a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
@ -42,6 +54,296 @@ manager: dansimp
<hr/>
<!--Policy-->
<a href="" id="printers-approvedusbprintdevices"></a>**Printers/ApprovedUsbPrintDevices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
Parent deliverable: 26209274 - Device Control: Printer
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *ApprovedUsbPrintDevices*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-approvedusbprintdevicesuser"></a>**Printers/ApprovedUsbPrintDevicesUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *ApprovedUsbPrintDevicesUser*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontrol"></a>**Printers/EnableDeviceControl**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing.
If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *EnableDeviceControl*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontroluser"></a>**Printers/EnableDeviceControlUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing.
If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *EnableDeviceControlUser*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**

159
windows/client-management/mdm/policy-csp-remotedesktop.md
View File

@ -64,6 +64,8 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data.
<!--/Description-->
<!--ADMXBacked-->
@ -105,160 +107,29 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
If you enable this policy setting, log files are generated.
If you disable this policy setting, log files are not generated.
If you do not configure this setting, application-based settings are used.
This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled.
- 1 - Enabled.
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn on session logging*
- GP name: *RA_Logging*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
- GP Friendly name: *Allow DPAPI cred keys to be loaded from user profiles during logon for AADJ accounts*
- GP name: *LoadAadCredKeyFromProfile*
- GP path: *System/RemoteDesktop*
- GP ADMX file name: *remotedesktop.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="remoteassistance-solicitedremoteassistance"></a>**RemoteAssistance/SolicitedRemoteAssistance**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="remoteassistance-unsolicitedremoteassistance"></a>**RemoteAssistance/UnsolicitedRemoteAssistance**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
`<Domain Name>\<User Name>` or
`<Domain Name>\<Group Name>`
If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
Windows Vista and later
Enable the Remote Assistance exception for the domain profile. The exception must contain:
Port 135:TCP
%WINDIR%\System32\msra.exe
%WINDIR%\System32\raserver.exe
Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
%WINDIR%\System32\Sessmgr.exe
For computers running Windows Server 2003 with Service Pack 1 (SP1)
Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
Allow Remote Desktop Exception
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

12
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -93,7 +93,7 @@ You can limit the number of users who can connect simultaneously by configuring
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow users to connect remotely by using Remote Desktop Services*
- GP Friendly name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
@ -149,7 +149,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set client connection encryption level*
- GP Friendly name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
@ -199,7 +199,7 @@ If you do not configure this policy setting, client drive redirection and Clipbo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow drive redirection*
- GP Friendly name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
@ -245,7 +245,7 @@ If you disable this setting or leave it not configured, the user will be able to
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow passwords to be saved*
- GP Friendly name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
@ -297,7 +297,7 @@ If you do not configure this policy setting, automatic logon is not specified at
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always prompt for password upon connection*
- GP Friendly name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
@ -349,7 +349,7 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require secure RPC communication*
- GP Friendly name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*

30
windows/client-management/mdm/policy-csp-remotemanagement.md
View File

@ -114,7 +114,7 @@ If you disable or do not configure this policy setting, the WinRM client does no
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP Friendly name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -160,7 +160,7 @@ If you disable or do not configure this policy setting, the WinRM service does n
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP Friendly name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -206,7 +206,7 @@ If you disable or do not configure this policy setting, the WinRM client does no
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP Friendly name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -252,7 +252,7 @@ If you disable or do not configure this policy setting, the WinRM service does n
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP Friendly name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -311,7 +311,7 @@ Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FE
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow remote server management through WinRM*
- GP Friendly name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -357,7 +357,7 @@ If you disable or do not configure this policy setting, the WinRM client sends o
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP Friendly name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -403,7 +403,7 @@ If you disable or do not configure this policy setting, the WinRM client sends o
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP Friendly name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -449,7 +449,7 @@ If you disable or do not configure this policy setting, the WinRM client uses Di
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow Digest authentication*
- GP Friendly name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -495,7 +495,7 @@ If you disable or do not configure this policy setting, the WinRM client uses Ne
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP Friendly name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -541,7 +541,7 @@ If you disable or do not configure this policy setting, the WinRM service accept
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP Friendly name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -589,7 +589,7 @@ If you enable and then disable this policy setting,any values that were previous
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow WinRM from storing RunAs credentials*
- GP Friendly name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -641,7 +641,7 @@ If HardeningLevel is set to None, all requests are accepted (though they are not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify channel binding token hardening level*
- GP Friendly name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -687,7 +687,7 @@ If you disable or do not configure this policy setting and the WinRM client need
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Trusted Hosts*
- GP Friendly name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -737,7 +737,7 @@ A listener might be automatically created on port 80 to ensure backward compatib
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn On Compatibility HTTP Listener*
- GP Friendly name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -787,7 +787,7 @@ A listener might be automatically created on port 443 to ensure backward compati
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn On Compatibility HTTPS Listener*
- GP Friendly name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*

4
windows/client-management/mdm/policy-csp-remoteprocedurecall.md
View File

@ -78,7 +78,7 @@ Note: This policy will not be applied until the system is rebooted.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable RPC Endpoint Mapper Client Authentication*
- GP Friendly name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
@ -137,7 +137,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict Unauthenticated RPC clients*
- GP Friendly name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*

14
windows/client-management/mdm/policy-csp-remoteshell.md
View File

@ -89,7 +89,7 @@ If you set this policy to disabled, new remote shell connections are rejec
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Remote Shell Access*
- GP Friendly name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -137,7 +137,7 @@ If you disable or do not configure this policy setting, the default number is fi
<!--ADMXBacked-->
ADMX Info:
- GP English name: *MaxConcurrentUsers*
- GP Friendly name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -185,7 +185,7 @@ If you do not configure or disable this policy setting, the default value of 900
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify idle Timeout*
- GP Friendly name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -233,7 +233,7 @@ If you disable or do not configure this policy setting, the value 150 is used by
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum amount of memory in MB per Shell*
- GP Friendly name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -279,7 +279,7 @@ If you disable or do not configure this policy setting, the limit is five proce
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum number of processes per Shell*
- GP Friendly name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -327,7 +327,7 @@ If you disable or do not configure this policy setting, by default the limit is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum number of remote shells per user*
- GP Friendly name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -369,7 +369,7 @@ This policy setting is deprecated and has no effect when set to any state: Enabl
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify Shell Timeout*
- GP Friendly name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*

24
windows/client-management/mdm/policy-csp-search.md
View File

@ -99,7 +99,7 @@ Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Cloud Search*
- GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCloudSearch*
- GP element: *AllowCloudSearch_Dropdown*
- GP path: *Windows Components/Search*
@ -148,7 +148,7 @@ This policy allows the cortana opt-in page during windows setup out of the box e
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Cloud Search*
- GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCortanaInAAD*
- GP element: *AllowCloudSearch_Dropdown*
- GP path: *Windows Components/Search*
@ -196,7 +196,7 @@ Controls if the user can configure search to Find My Files mode, which searches
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Find My Files*
- GP Friendly name: *Allow Find My Files*
- GP name: *AllowFindMyFiles*
- GP path: *Computer Configuration/Administrative Templates/Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -256,7 +256,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow indexing of encrypted files*
- GP Friendly name: *Allow indexing of encrypted files*
- GP name: *AllowIndexingEncryptedStoresOrItems*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -306,7 +306,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow search and Cortana to use location*
- GP Friendly name: *Allow search and Cortana to use location*
- GP name: *AllowSearchToUseLocation*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -368,7 +368,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow use of diacritics*
- GP Friendly name: *Allow use of diacritics*
- GP name: *AllowUsingDiacritics*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -452,7 +452,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Always use automatic language detection when indexing content and properties*
- GP Friendly name: *Always use automatic language detection when indexing content and properties*
- GP name: *AlwaysUseAutoLangDetection*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -500,7 +500,7 @@ If enabled, the search indexer backoff feature will be disabled. Indexing will c
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Disable indexer backoff*
- GP Friendly name: *Disable indexer backoff*
- GP name: *DisableBackoff*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -552,7 +552,7 @@ If you disable or do not configure this policy setting, locations on removable d
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Do not allow locations on removable drives to be added to libraries*
- GP Friendly name: *Do not allow locations on removable drives to be added to libraries*
- GP name: *DisableRemovableDriveIndexing*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -605,7 +605,7 @@ If you disable this policy setting, queries will be performed on the web and web
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Don't search the web or display web results in Search*
- GP Friendly name: *Don't search the web or display web results in Search*
- GP name: *DoNotUseWebResults*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -657,7 +657,7 @@ When this policy is disabled or not configured, Windows Desktop Search automatic
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Stop indexing in the event of limited hard drive space*
- GP Friendly name: *Stop indexing in the event of limited hard drive space*
- GP name: *StopIndexingOnLimitedHardDriveSpace*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -705,7 +705,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Prevent clients from querying the index remotely*
- GP Friendly name: *Prevent clients from querying the index remotely*
- GP name: *PreventRemoteQueries*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*

2
windows/client-management/mdm/policy-csp-security.md
View File

@ -190,7 +190,7 @@ Admin access is required. The prompt will appear on first admin logon after a re
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure the system to clear the TPM if it is not in a ready state.*
- GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.*
- GP name: *ClearTPMIfNotReady_Name*
- GP path: *System/Trusted Platform Module Services*
- GP ADMX file name: *TPM.admx*

2
windows/client-management/mdm/policy-csp-servicecontrolmanager.md
View File

@ -75,7 +75,7 @@ If you disable or do not configure this policy setting, the stricter security se
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable svchost.exe mitigation options*
- GP Friendly name: *Enable svchost.exe mitigation options*
- GP name: *SvchostProcessMitigationEnable*
- GP path: *System/Service Control Manager Settings/Security Settings*
- GP ADMX file name: *ServiceControlManager.admx*

136
windows/client-management/mdm/policy-csp-start.md
View File

@ -51,6 +51,9 @@ manager: dansimp
<dd>
<a href="#start-allowpinnedfoldervideos">Start/AllowPinnedFolderVideos</a>
</dd>
<dd>
<a href="#start-configurestartpins">Start/ConfigureStartPins</a>
</dd>
<dd>
<a href="#start-disablecontextmenus">Start/DisableContextMenus</a>
</dd>
@ -108,6 +111,9 @@ manager: dansimp
<dd>
<a href="#start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
</dd>
<dd>
<a href="#start-showorhidemostusedapps">Start/ShowOrHideMostUsedApps</a>
</dd>
<dd>
<a href="#start-startlayout">Start/StartLayout</a>
</dd>
@ -526,6 +532,67 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="start-configurestartpins"></a>**Start/ConfigureStartPins**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the Windows 11 start menu experience.
It contains details on how to configure the start menu on Windows 11, see [/windows-hardware/customize/desktop/customize-the-windows-11-start-menu](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu)
<!--/Description-->
<!--SupportedValues-->
This string policy will take a JSON file (expected name LayoutModification.json), which enumerates the items to pin and their relative order.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-disablecontextmenus"></a>**Start/DisableContextMenus**
@ -1498,6 +1565,75 @@ To validate on Desktop, do the following:
<hr/>
<!--Policy-->
<a href="" id="start-showorhidemostusedapps"></a>**Start/ShowOrHideMostUsedApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 - Force showing of Most Used Apps in Start Menu, user cannot change in Settings
- 0 - Force hiding of Most Used Apps in Start Menu, user cannot change in Settings
- Not set - User can use Settings to hide or show Most Used Apps in Start Menu
On clean install, the user setting defaults to "hide".
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-startlayout"></a>**Start/StartLayout**

12
windows/client-management/mdm/policy-csp-update.md
View File

@ -948,7 +948,7 @@ Supported values:
<!--/Scope-->
<!--Description-->
Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of General Availability Channel (Targeted) and General Availability Channel have been combined into one General Availability Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
<!--/Description-->
<!--ADMXMapped-->
@ -966,8 +966,8 @@ The following list shows the supported values:
- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709)
- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709)
- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709)
- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16)
- 16 {0x10} - (default) General Availability Channel (Targeted). Device gets all applicable feature updates from General Availability Channel (Targeted).
- 32 {0x20} - General Availability Channel. Device gets feature updates from General Availability Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the General Availability Channel and General Availability Channel (Targeted) into a single General Availability Channel with a value of 16)
<!--/SupportedValues-->
<!--/Policy-->
@ -2627,7 +2627,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to Semi-Annual Channel train.
Allows the IT admin to set a device to General Availability Channel train.
<!--/Description-->
<!--ADMXMapped-->
@ -2640,8 +2640,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) User gets upgrades from Semi-Annual Channel (Targeted).
- 1 User gets upgrades from Semi-Annual Channel.
- 0 (default) User gets upgrades from General Availability Channel (Targeted).
- 1 User gets upgrades from General Availability Channel.
<!--/SupportedValues-->
<!--/Policy-->

6
windows/client-management/mdm/toc.yml
View File

@ -741,6 +741,8 @@ items:
href: policy-csp-lockdown.md
- name: Maps
href: policy-csp-maps.md
- name: MemoryDump
href: policy-csp-memorydump.md
- name: Messaging
href: policy-csp-messaging.md
- name: MixedReality
@ -755,6 +757,8 @@ items:
href: policy-csp-networkisolation.md
- name: NetworkListManager
href: policy-csp-networklistmanager.md
- name: NewsAndInterests
href: policy-csp-newsandinterests.md
- name: Notifications
href: policy-csp-notifications.md
- name: Power
@ -765,6 +769,8 @@ items:
href: policy-csp-privacy.md
- name: RemoteAssistance
href: policy-csp-remoteassistance.md
- name: RemoteDesktop
href: policy-csp-remotedesktop.md
- name: RemoteDesktopServices
href: policy-csp-remotedesktopservices.md
- name: RemoteManagement

2
windows/client-management/mdm/update-csp.md
View File

@ -204,7 +204,7 @@ Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machi
- Condition 4: Machine should be within the uninstall period
> [!NOTE]
> This only works for Semi-Annual Channel Targeted devices.
> This only works for General Availability Channel Targeted devices.
If the conditions are not true, the device will not Roll Back the Latest Feature Update.

20
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -67,7 +67,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardFileType*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -91,7 +91,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -124,7 +124,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Microsoft Defender Application Guard print settings*
- GP Friendly name: *Configure Microsoft Defender Application Guard print settings*
- GP name: *AppHVSIPrintingSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -146,7 +146,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP name: *BlockNonEnterpriseContent*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -165,7 +165,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow data persistence for Microsoft Defender Application Guard*
- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
- GP name: *AllowPersistence*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -189,7 +189,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP name: *AllowVirtualGPU*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -208,7 +208,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP name: *SaveFilesToHost*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -230,7 +230,7 @@ If you disable or dont configure this setting, certificates are not shared wi
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP name: *CertificateThumbprints*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -259,7 +259,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP name: *AllowCameraMicrophoneRedirection*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -317,7 +317,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow auditing events in Microsoft Defender Application Guard*
- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*

2
windows/client-management/troubleshoot-stop-errors.md
View File

@ -129,7 +129,7 @@ More information on how to use Dumpchk.exe to check your dump files:
### Pagefile Settings
- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](/windows/client-management/introduction-page-file)
- [Introduction of page file in Long-Term Servicing Channel and General Availability Channel of Windows](/windows/client-management/introduction-page-file)
- [How to determine the appropriate page file size for 64-bit versions of Windows](/windows/client-management/determine-appropriate-page-file-size)
- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](/windows/client-management/generate-kernel-or-complete-crash-dump)

12
windows/client-management/troubleshoot-tcpip-netmon.md
View File

@ -7,7 +7,7 @@ ms.topic: troubleshooting
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.date: 12/06/2018
ms.date: 01/27/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -15,10 +15,10 @@ ms.collection: highpri
# Collect data using Network Monitor
In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
In this article, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
> [!NOTE]
> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide).
> Network Monitor is the archived protocol analyzer and is no longer under development. Also, Microsoft Message Analyzer (MMA) was retired and its download packages were removed from microsoft.com sites on November 25, 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, consider using another, non-Microsoft network protocol analyzer tool. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide).
To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
@ -28,11 +28,11 @@ When the driver gets hooked to the network interface card (NIC) during installat
**To capture traffic**
1. Run netmon in an elevated status by choosing Run as Administrator.
1. Run netmon in an elevated status by choosing **Run as Administrator**.
![Image of Start search results for Netmon.](images/nm-start.png)
2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**.
2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then select **Start**.
![Image of the New Capture option on menu.](images/tcp-ts-4.png)
@ -67,4 +67,4 @@ Network traces which are collected using the **netsh** commands built in to Wind
[Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)<br>
[Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)<br>
[Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)<br>
[How to setup and collect network capture using Network Monitor tool](/archive/blogs/msindiasupp/how-to-setup-and-collect-network-capture-using-network-monitor-tool)<br>
[How to setup and collect network capture using Network Monitor tool](/archive/blogs/msindiasupp/how-to-setup-and-collect-network-capture-using-network-monitor-tool)<br>

20
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -7,7 +7,7 @@ ms.topic: troubleshooting
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.date: 12/06/2018
ms.date: 02/07/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -22,9 +22,9 @@ There are two types of ports:
- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection.
- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers.
Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443.
When connecting to an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443.
In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*.
In a scenario where the same browser is creating a lot of connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*.
## Default dynamic port range for TCP/IP
@ -95,16 +95,16 @@ If you suspect that the machine is in a state of port exhaustion:
![Screenshot of netstate command output.](images/tcp-ts-20.png)
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
>[!Note]
>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
> [!Note]
> Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
>
>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
> Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
>
>Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
> Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
4. Open a command prompt in admin mode and run the below command
@ -164,7 +164,7 @@ Steps to use Process explorer:
Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles.
As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
As a workaround, rebooting the computer will get it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
```console
netsh int ipv4 set dynamicport tcp start=10000 num=1000

8
windows/client-management/windows-version-search.md
View File

@ -1,7 +1,7 @@
---
title: What version of Windows am I running?
description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or Semi-Annual Channel.
keywords: Long-Term Servicing Channel, LTSC, LTSB, Semi-Annual Channel, SAC, Windows, version, OS Build
description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -15,7 +15,7 @@ ms.topic: troubleshooting
# What version of Windows am I running?
To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so its useful to learn about all of them.
To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so its useful to learn about all of them.
## System Properties
Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
@ -48,4 +48,4 @@ At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesnt contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Its important to remember that the LTSC model is primarily for specialized devices.
In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.

4
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -164,7 +164,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
For example, you can use the following configuration.xml file, which provides these configuration settings:
- Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
- Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet.
- Use the General Availability Channel and get updates directly from the Office CDN on the internet.
- Perform a silent installation. You wont see anything that shows the progress of the installation and you wont see any error messages.
```xml
@ -179,7 +179,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
</Configuration>
```
By using these settings, any time you build the reference image youll be installing the most up-to-date Semi-Annual Channel version of Microsoft 365 Apps for enterprise.
By using these settings, any time you build the reference image youll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
>[!TIP]
>You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.

5
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -38,9 +38,6 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM),
> [!NOTE]
> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For more information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
## Configure Active Directory for BitLocker
@ -170,4 +167,4 @@ In the following task sequence, we added five actions:
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br>
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br>
[Use web services in MDT](use-web-services-in-mdt.md)<br>
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

2
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -33,7 +33,7 @@ The features described below are no longer being actively developed, and might b
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you'll no longer have the option to upload new activity in Timeline. See [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |

2
windows/deployment/update/PSFxWhitepaper.md
View File

@ -1,7 +1,7 @@
---
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro

4
windows/deployment/update/WIP4Biz-intro.md
View File

@ -1,7 +1,7 @@
---
title: Introduction to the Windows Insider Program for Business
description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: manage
@ -37,7 +37,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled
The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the General Availability Channel Targeted ring for Pilot deployment, and the General Availability Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments.
## Explore new Windows 10 features in Insider Previews

2
windows/deployment/update/eval-infra-tools.md
View File

@ -2,7 +2,7 @@
title: Evaluate infrastructure and tools
manager: laurawi
description: Steps to make sure your infrastructure is ready to deploy updates
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro

2
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -1,7 +1,7 @@
---
title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo

BIN
windows/deployment/update/images/waas-mcc-diag-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

2
windows/deployment/update/plan-define-readiness.md
View File

@ -2,7 +2,7 @@
title: Define readiness criteria
manager: laurawi
description: Identify important roles and figure out how to classify apps
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro

2
windows/deployment/update/plan-define-strategy.md
View File

@ -1,7 +1,7 @@
---
title: Define update strategy
description: Two examples of a calendar-based approach to consistent update installation
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, tools
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo

2
windows/deployment/update/plan-determine-app-readiness.md
View File

@ -2,7 +2,7 @@
title: Determine application readiness
manager: laurawi
description: How to test your apps to know which need attention prior to deploying an update
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro

2
windows/deployment/update/prepare-deploy-windows.md
View File

@ -1,7 +1,7 @@
---
title: Prepare to deploy Windows
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo

2
windows/deployment/update/quality-updates.md
View File

@ -1,7 +1,7 @@
---
title: Monthly quality updates (Windows 10/11)
description: Learn about Windows monthlyquality updates to stay productive and protected.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
author: greg-lindsay

2
windows/deployment/update/update-baseline.md
View File

@ -1,7 +1,7 @@
---
title: Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, tools, group policy
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, tools, group policy
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo

2
windows/deployment/update/update-policies.md
View File

@ -3,7 +3,7 @@ title: Policies for update compliance, activity, and user experience
ms.reviewer:
manager: laurawi
description: Explanation and recommendations for settings
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro

96
windows/deployment/update/waas-delivery-optimization-faq.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Delivery Optimization Frequently Asked Questions
ms.reviewer:
manager: dougeby
description: The following is a list of frequently asked questions for Delivery Optimization.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
author: carmenf
ms.localizationpriority: medium
ms.author: carmenf
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Delivery Optimization Frequently Asked Questions
**Applies to**
- Windows 10
- Windows 11
## Does Delivery Optimization work with WSUS?
Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
## Which ports does Delivery Optimization use?
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
## What are the requirements if I use a proxy?
For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting.md).
## What hostnames should I allow through my firewall to support Delivery Optimization?
For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
**For Delivery Optimization metadata**:
- *.dl.delivery.mp.microsoft.com
- *.emdl.ws.microsoft.com
**For the payloads (optional)**:
- *.download.windowsupdate.com
- *.windowsupdate.com
## Does Delivery Optimization use multicast?
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
## How does Delivery Optimization handle VPNs?
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
With split tunneling, make sure to allow direct access to these endpoints:
Delivery Optimization service endpoint:
- `https://*.prod.do.dsp.mp.microsoft.com`
Delivery Optimization metadata:
- `http://emdl.ws.microsoft.com`
- `http://*.dl.delivery.mp.microsoft.com`
Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
- `http://*.windowsupdate.com`
- `https://*.delivery.mp.microsoft.com`
- `https://*.update.microsoft.com`
- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
> [!NOTE]
> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.

108
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -1,15 +1,15 @@
---
title: Delivery Optimization reference
ms.reviewer:
manager: laurawi
manager: dougeby
description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
author: jaimeo
author: carmenf
ms.localizationpriority: medium
ms.author: jaimeo
ms.author: carmenf
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
@ -22,20 +22,20 @@ ms.custom: seo-marvel-apr2020
- Windows 10
- Windows 11
> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158).
> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=103506).
There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md).
There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows client updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md).
## Delivery Optimization options
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
[//]: # (something about Intune UX--perhaps link to relevant Intune docs?)
### Summary of Delivery Optimization settings:
### Summary of Delivery Optimization settings
| Group Policy setting | MDM setting | Supported from version |
| --- | --- | --- |
@ -65,16 +65,17 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 |
| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 2004 |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 |
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 1809 |
| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 |
| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |
### More detail on Delivery Optimization settings:
### More detail on Delivery Optimization settings
[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario:
- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
@ -85,6 +86,7 @@ Delivery Optimization uses locally cached updates. In cases where devices have a
All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size).
Additional options available that control the impact Delivery Optimization has on your network include the following:
- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization.
- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month.
@ -99,6 +101,7 @@ Additional options available that control the impact Delivery Optimization has o
- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
@ -111,21 +114,21 @@ Download mode dictates which download sources clients are allowed to use when do
| Download mode option | Functionality when set |
| --- | --- |
| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
| LAN (1 Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
| LAN (**1 Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
|Bypass (100) |Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. |
> [!NOTE]
> Starting in Windows 11, the Bypass option of Download Mode is no longer used.
>
> [!NOTE]
> When you use AAD tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.
### Group ID
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
[//]: # (Configuration Manager boundary group option; GroupID Source policy)
@ -135,7 +138,9 @@ By default, peer sharing on clients using the group download mode is limited to
>This configuration is optional and not required for most implementations of Delivery Optimization.
### Select the source of Group IDs
Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are:
Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are:
- 0 = not set
- 1 = AD Site
- 2 = Authenticated domain SID
@ -145,101 +150,106 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching
This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4, and the default value is 4 GB.
This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4, and **the default value is 4 GB**.
### Minimum disk size allowed to use Peer Caching
This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and the default value is 32 GB.
This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**.
>[!NOTE]
>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
### Max Cache Age
In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (three days). Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
### Max Cache Size
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20**.
### Absolute Max Cache Size
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB.
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**.
### Minimum Peer Caching Content File Size
This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000.
This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50MB** to participate in peering.
### Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of "0" means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
> [!NOTE]
> This is the best option for low bandwidth environments.
### Maximum Foreground Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
### Maximum Background Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
### Percentage of Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
> [!NOTE]
> It is recommended to use the absolute value download option 'Maximum Download Bandwidth', rather than percentage-based options, for low bandwidth environments.
### Max Upload Bandwidth
This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is "0", or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0", or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
### Set Business Hours to Limit Background Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.**
### Set Business Hours to Limit Foreground Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.**
### Select a method to restrict peer selection
Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2).
Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there is no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**.
If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**.
### Delay background download from http (in secs)
Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.**
### Delay foreground download from http (in secs)
Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.**
### Delay Foreground Download Cache Server Fallback (in secs)
Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first).
Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.**
### Delay Background Download Cache Server Fallback (in secs)
Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first).
Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.**
### Minimum Background QoS
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s**
### Modify Cache Drive
This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (for example, %SYSTEMDRIVE%), a drive letter (for example, D:), or a folder path (for example, D:\DOCache).
This setting allows for an alternate Delivery Optimization cache location on the clients. **By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable.** You can set the value to an environment variable (for example, %SYSTEMDRIVE%), a drive letter (for example, D:), or a folder path (for example, D:\DOCache).
### Monthly Upload Data Cap
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.**
### Enable Peer Caching while the device connects via VPN
This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering is not allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
### Allow uploads while the device is on battery while under set Battery level
@ -247,22 +257,25 @@ This setting specifies battery levels at which a device will be allowed to uploa
The device can download from peers while on battery regardless of this policy.
>[!IMPORTANT]
> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.
> **By default, devices will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause.
### Cache Server Hostname
### Cache Server Hostname
Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7.
Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.**
>[!IMPORTANT]
> Any value will signify that the policy is set. For example, an empty string ("") is not considered empty.
### Cache Server Hostname Source
This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically. There are two options:
- 1 = DHCP Option 235.
- 2 = DHCP Option 235 Force.
With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set.
With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
Set this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
> [!NOTE]
> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set.
@ -270,12 +283,11 @@ Set this policy to designate one or more Delivery Optimization in Network Cache
### Maximum Foreground Download Bandwidth (in KB/s)
Specifies the maximum foreground download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value of 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
**The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**
### Maximum Background Download Bandwidth (in KB/s)
Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
**The default value "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**

102
windows/deployment/update/waas-delivery-optimization-setup.md
View File

@ -1,29 +1,38 @@
---
title: Set up Delivery Optimization
ms.reviewer:
manager: laurawi
manager: dougeby
description: In this article, learn how to set up Delivery Optimization.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
author: jaimeo
author: carmenf
ms.localizationpriority: medium
ms.author: jaimeo
ms.author: carmenf
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Set up Delivery Optimization for Windows client updates
# Set up Delivery Optimization for Windows
**Applies to**
- Windows 10
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
## Set up Delivery Optimization
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows))
**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
## Recommended Delivery Optimization settings
@ -37,7 +46,7 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se
> [!NOTE]
> These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set.
>
> [!NOTE]
> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](/mem/intune/configuration/delivery-optimization-settings).
@ -54,7 +63,7 @@ Quick-reference table:
For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2.
@ -62,7 +71,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection).
To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**.
@ -73,7 +82,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later.
To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60.
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60.
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60.
@ -83,7 +92,7 @@ Many devices now come with large internal drives. You can set Delivery Optimizat
[//]: # (default of 50 aimed at consumer)
To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
@ -91,13 +100,12 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period.
To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days).
[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?)
## Monitor Delivery Optimization
[//]: # (How to tell if it's working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
@ -126,22 +134,21 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
| ExpireOn | The target expiration date and time for the file. |
| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
- Number of files downloaded 
- Number of files uploaded 
- Total bytes downloaded 
- Total bytes uploaded 
- Average transfer size (download); that is, the number bytes downloaded divided by the number of files 
- Number of files downloaded
- Number of files uploaded
- Total bytes downloaded
- Total bytes uploaded
- Average transfer size (download); that is, the number bytes downloaded divided by the number of files
- Average transfer size (upload); the number of bytes uploaded divided by the number of files
- Peer efficiency; same as PercentPeerCaching
Using the `-Verbose` option returns additional information:
- Bytes from peers (per type) 
- Bytes from peers (per type)
- Bytes from CDN (the number of bytes received over HTTP)
- Average number of peer connections per download 
- Average number of peer connections per download
**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
@ -212,6 +219,59 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a
Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
[ ![DO status.](images/UC_workspace_DO_status.png) ](images/UC_workspace_DO_status.png#lightbox)
[[DO status](images/UC_workspace_DO_status.png)](images/UC_workspace_DO_status.png#lightbox)
For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md).
## Troubleshooting
This section summarizes common problems and some solutions to try.
### If you don't see any bytes from peers
If you don't see any bytes coming from peers the cause might be one of the following issues:
- Clients arent able to reach the Delivery Optimization cloud services.
- The cloud service doesnt see other peers on the network.
- Clients arent able to connect to peers that are offered back from the cloud service.
- None of the computers on the network are getting updates from peers.
### Clients aren't able to reach the Delivery Optimization cloud services
Try these steps:
1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, DownloadMode should be 1, 2, or 3.
3. If DownloadMode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
### The cloud service doesn't see other peers on the network
Try these steps:
1. Download the same app on two different devices on the same network, waiting 10 15 minutes between downloads.
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices.
3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero.
4. If the number of peers is zero and **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices are not reporting the same public IP address, configure **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[GroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this.
> [!NOTE]
> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
### Clients aren't able to connect to peers offered by the cloud service
Try a Telnet test between two devices on the network to ensure they can connect using port 7680. Follow these steps:
1. Install Telnet by running `dism /online /Enable-Feature /FeatureName:TelnetClient` from an elevated command prompt.
2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
> [!NOTE]
> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test.
> **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680**
### None of the computers on the network are getting updates from peers
Check Delivery Optimization settings that could limit participation in peer caching. Check whether the following settings in assigned group policies, local group policies, or MDM policies are too restrictive:
- Minimum RAM (inclusive) allowed to use peer caching
- Minimum disk size allowed to use peer caching
- Enable peer caching while the device connects using VPN.
- Allow uploads when the device is on battery while under the set battery level

233
windows/deployment/update/waas-delivery-optimization.md
View File

@ -1,14 +1,14 @@
---
title: Delivery Optimization for Windows client updates
title: What is Delivery Optimization?
manager: dougeby
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10.
description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
author: jaimeo
author: carmenf
ms.localizationpriority: medium
ms.author: jaimeo
ms.author: carmenf
ms.collection:
- M365-modern-desktop
- m365initiative-coredeploy
@ -17,7 +17,7 @@ ms.topic: article
ms.custom: seo-marvel-apr2020
---
# Delivery Optimization for Windows client updates
# What is Delivery Optimization?
**Applies to**
@ -26,209 +26,90 @@ ms.custom: seo-marvel-apr2020
> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158).
Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Manager (when installation of Express Updates is enabled).
Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Manager (when installation of Express Updates is enabled).
Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization.
For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
>[!NOTE]
>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
## New in Windows 10, version 20H2 and Windows 11
- New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)."
- Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID).
- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)."
- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization will connect to locally discovered peers that are also part of the same group, for those devices with the same Group ID).
> [!NOTE]
> The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](/windows/deployment/update/waas-delivery-optimization-reference).
> The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](/windows/deployment/update/waas-delivery-optimization-reference.md).
- Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used.
- Starting with Windows 11, the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used.
## Requirements
The following table lists the minimum Windows 10 version that supports Delivery Optimization:
| Device type | Minimum Windows version |
| Device type | Minimum Windows version
|------------------|---------------|
| Computers running Windows 10 | 1511 |
| Computers running Server Core installations of Windows Server | 1709 |
| IoT devices | 1803 |
| Computers running Windows 10 | Win 10 1511 |
| Computers running Server Core installations of Windows Server | Windows Server 2019 |
| Windows IoT devices | Win 10 1803 |
**Types of download packages supported by Delivery Optimization**
### Types of download content supported by Delivery Optimization
| Download package | Minimum Windows version |
|------------------|---------------|
| Windows client updates (feature updates and quality updates) | 1511 |
| Windows client drivers | 1511 |
| Windows Store files | 1511 |
| Windows Store for Business files | 1511 |
| Windows Defender definition updates | 1511 |
| Microsoft 365 Apps and updates | 1709 (for more information, see [Delivery Optimization and Microsoft 365 Apps](/deployoffice/delivery-optimization)) |
| Win32 apps for Intune | 1709 |
| Xbox game pass games | 2004 |
| MSIX apps (HTTP downloads only) | 2004 |
| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 |
| Edge browser installs and updates | 1809 |
| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 |
#### Windows Client
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|------------------|---------------|----------------|----------|----------------|
| Windows Update (feature updates quality updates, language packs, drivers) | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10 Store files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10 Store for Business files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows Defender definition updates | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Microsoft 365 Apps and updates | Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Edge Browser Updates | Win 10 1809, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Configuration Manager Express updates| Win 10 1709 + Configuration Manager version Win 10 1711, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Dynamic updates| Win 10 1903, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| MDM Agent | Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Xbox Game Pass (PC) | Win 10 1809, Win 11 | :heavy_check_mark: | | :heavy_check_mark: |
| Windows Package Manager| Win 10 1809, Win 11 | :heavy_check_mark: | | |
| MSIX | Win 10 2004, Win 11 | :heavy_check_mark: | | |
#### Windows Server
| Windows Server | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|----------------|--------------------------|----------------|----------|----------------|
| Windows Update | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Edge Browser Updates | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
#### Linux (Public Preview)
| Linux ([Public Preview](https://github.com/microsoft/do-client)) | Linux versions | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|------------------------|----------------|-----------------|--------------|---------------|
| Device Update for IoT Hub | Ubuntu 18.04, 20.04 / Debian 9, 10 | :heavy_check_mark: | | :heavy_check_mark: |
> [!NOTE]
> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
In Windows client Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
For more information, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md).
## Set up Delivery Optimization
See [Set up Delivery Optimization](waas-delivery-optimization-setup.md) for suggested values for a number of common scenarios.
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows))
**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
## Reference
For complete list of every possible Delivery Optimization setting, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).
In Windows client Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT (which includes either Ethernet or WiFi), but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more information on [Download mode](waas-delivery-optimization-reference.md#download-mode) options.
## How Microsoft uses Delivery Optimization
At Microsoft, to help ensure that ongoing deployments weren't affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
For more information, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
## Using a proxy with Delivery Optimization
If a proxy is being used in your environment, see [Using a proxy with Delivery Optimization](delivery-optimization-proxy.md) to understand the proxy settings needed to properly using Delivery Optimization.
## Frequently asked questions
## Delivery Optimization client-service communication explained
#### Does Delivery Optimization work with WSUS?
Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
To gain a deeper understanding of the Delivery Optimization client-service communication workflow, see [Delivery Optimization client-service communication explained](delivery-optimization-workflow.md)
#### Which ports does Delivery Optimization use?
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
## Set up Delivery Optimization for Windows
If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
[Learn more](waas-delivery-optimization-setup.md) about the Delivery Optimization settings to ensure proper set up in your environment.
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
#### What are the requirements if I use a proxy?
For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
#### What hostnames should I allow through my firewall to support Delivery Optimization?
For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
**For Delivery Optimization metadata**:
- *.dl.delivery.mp.microsoft.com
- *.emdl.ws.microsoft.com
**For the payloads (optional)**:
- *.download.windowsupdate.com
- *.windowsupdate.com
#### Does Delivery Optimization use multicast?
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
#### How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
#### How does Delivery Optimization handle VPNs?
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
With split tunneling, make sure to allow direct access to these endpoints:
Delivery Optimization service endpoint:
- `https://*.prod.do.dsp.mp.microsoft.com`
Delivery Optimization metadata:
- `http://emdl.ws.microsoft.com`
- `http://*.dl.delivery.mp.microsoft.com`
Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
- `http://*.windowsupdate.com`
- `https://*.delivery.mp.microsoft.com`
- `https://*.update.microsoft.com`
- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
#### How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
> [!NOTE]
> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
## Troubleshooting
This section summarizes common problems and some solutions to try.
### If you don't see any bytes from peers
If you don't see any bytes coming from peers the cause might be one of the following issues:
- Clients arent able to reach the Delivery Optimization cloud services.
- The cloud service doesnt see other peers on the network.
- Clients arent able to connect to peers that are offered back from the cloud service.
- None of the computers on the network are getting updates from peers.
### Clients aren't able to reach the Delivery Optimization cloud services.
Try these steps:
1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga").
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the DownloadMode setting. For peering to work, DownloadMode should be 1, 2, or 3.
3. If **DownloadMode** is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**.
### The cloud service doesn't see other peers on the network.
Try these steps:
1. Download the same app on two different devices on the same network, waiting 10 15 minutes between downloads.
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **DownloadMode** is 1 or 2 on both devices.
3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero.
4. If the number of peers is zero and you have **DownloadMode** = 1, ensure that both devices are using the same public IP address to reach the internet. Open a browser Windows and search for “what is my IP”. You can **DownloadMode 2** (Group) and a custom GroupID (Guid) to fix this if the devices arent reporting the same public IP address.
> [!NOTE]
> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
### Clients aren't able to connect to peers offered by the cloud service
Try a Telnet test between two devices on the network to ensure they can connect using port 7680. Follow these steps:
1. Install Telnet by running `dism /online /Enable-Feature /FeatureName:TelnetClient` from an elevated command prompt.
2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success.
> [!NOTE]
> You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test.
> **Test-NetConnection -ComputerName 192.168.9.17 -Port 7680**
### None of the computers on the network are getting updates from peers
Check Delivery Optimization settings that could limit participation in peer caching. Check whether the following settings in assigned group policies, local group policies, or MDM policies are too restrictive:
- Minimum RAM (inclusive) allowed to use peer caching
- Minimum disk size allowed to use peer caching
- Enable peer caching while the device connects using VPN.
- Allow uploads when the device is on battery while under the set battery level
## Delivery Optimization reference
For a complete list of Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md).

58
windows/deployment/update/waas-microsoft-connected-cache.md Normal file
View File

@ -0,0 +1,58 @@
---
title: What is Microsoft Connected Cache?
manager: dougeby
description: This article provides information about Microsoft Connected Cache, a software-only caching solution.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
author: carmenf
ms.localizationpriority: medium
ms.author: carmenf
ms.collection:
- M365-modern-desktop
- m365initiative-coredeploy
- highpri
ms.topic: article
ms.custom: seo-marvel-apr2020
---
# What is Microsoft Connected Cache?
**Applies to**
- Windows 10
- Windows 11
Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache is a hybrid (mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. Its built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. Microsoft Connected Cache will be a Linux IoT Edge module running on the Windows Host OS.
Even though your Microsoft Connected Cache scenario is not related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage Microsoft Connected Cache on your edge device:
1. Installs and updates Microsoft Connected Cache on your edge device.
2. Maintains Azure IoT Edge security standards on your edge device.
3. Ensures that Microsoft Connected Cache is always running.
4. Reports Microsoft Connected Cache health and usage to the cloud for remote monitoring.
To deploy a functional Microsoft Connected Cache to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of Microsoft Connected Cache is described below.
For more details information on Azure IoT Edge, please see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).
## How Microsoft Connected Cache Works
1. The Azure Management Portal is used to create Microsoft Connected Cache nodes.
2. The Microsoft Connected Cache container is deployed and provisioned to the server using the installer provided in the portal.
3. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
4. Microsoft end-user devices make range requests for content from the Microsoft Connected Cache node.
5. The Microsoft Connected Cache node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
6. Subsequent requests from end-user devices for content will now come from cache.
7. If the Microsoft Connected Cache node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers.
See the following diagram.
![Microsoft Connected Cache Overview](images/waas-mcc-diag-overview.png#lightbox)
## Also see
[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898)

2
windows/deployment/update/waas-overview.md
View File

@ -1,7 +1,7 @@
---
title: Overview of Windows as a service
description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo

2
windows/deployment/update/waas-quick-start.md
View File

@ -1,7 +1,7 @@
---
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo

4
windows/deployment/update/windows-update-resources.md
View File

@ -84,8 +84,8 @@ If all else fails, try resetting the Windows Update Agent by running these comma
```
2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
```
5. Type the following command at a command prompt, and then press ENTER:
``` console

4
windows/deployment/upgrade/resolution-procedures.md
View File

@ -45,7 +45,7 @@ See the following general troubleshooting procedures associated with a result co
| :--- | :--- | :--- |
| 0xC1900101 - 0x20004 | Uninstall antivirus applications.<br>Remove all unused SATA devices. <br>Remove all unused devices and drivers. <br>Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation. <br>This is generally caused by out-of-date drivers. |
| 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br> Contact your hardware vendor to obtain updated device drivers.<br> Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.<br> This is generally caused by out-of-date drivers |
| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.<br>Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.<br>For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).<br>Update or uninstall the problem drivers. | A driver has caused an illegal operation.<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. |
| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.<br>Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.<br>For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).<br>Update or uninstall the problem drivers. | A driver has caused an illegal operation.<br>Windows was not able to migrate the driver, resulting in a rollback of the operating system.<br>This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.<br>This can also be caused by a hardware failure. |
| 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Contact your hardware vendor to obtain updated device drivers.<br>Ensure that &quot;Download and install updates (recommended)&quot; is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. |
| 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.<br>Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.<br>This can occur due to a problem with a display driver. |
| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.<br>Review the rollback log and determine the stop code.<br>The rollback log is located in the <strong>$Windows.~BT\Sources\Rollback</strong> folder. An example analysis is shown below. This example is not representative of all cases:<br>&nbsp;<br>Info SP Crash 0x0000007E detected<br>Info SP Module name :<br>Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005<br>Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A<br>Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728<br>Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40<br>Info SP Cannot recover the system.<br>Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.<br>&nbsp;<br>Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:<br>&nbsp;<br>1. Make sure you have enough disk space.<br>2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.<br>3. Try changing video adapters.<br>4. Check with your hardware vendor for any BIOS updates.<br>5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.<br>Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.<br>This can occur because of incompatible drivers. |
@ -93,7 +93,7 @@ See the following general troubleshooting procedures associated with a result co
| Error Codes | Cause | Mitigation |
| --- | --- | --- |
|0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt.|Re-download the ISO/Media and re-attempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
|0x8007025D - 0x2000C|This error occurs if the ISO file&#39;s metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade<p>Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).|
|0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.|
|0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.<br>Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.|
|0xC1900200 - 0x20008|The computer doesnt meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.<p>Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).|

2
windows/deployment/vda-subscription-activation.md
View File

@ -153,4 +153,4 @@ To create custom RDP settings for Azure:
[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
<BR>[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
<BR>[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
<BR>[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)

292
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -1,145 +1,147 @@
---
title: Activate using Active Directory-based activation (Windows 10)
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
ms.custom: seo-marvel-apr2020
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
manager: dougeby
ms.author: greglin
keywords: vamt, volume activation, activation, windows activation
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.topic: article
ms.collection: highpri
---
# Activate using Active Directory-based activation
> Applies to
>- Windows 11
>- Windows 10
>- Windows 8.1
>- Windows 8
>- Windows Server 2012 R2
>- Windows Server 2012
>- Windows Server 2016
>- Windows Server 2019
>- Office 2021*
>- Office 2019*
>- Office 2016*
>- Office 2013*
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1)
- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients.
Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
The process proceeds as follows:
1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
2. Microsoft verifies the KMS host key, and an activation object is created.
3. Client computers are activated by receiving the activation object from a domain controller during startup.
> [!div class="mx-imgBorder"]
> ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg)
**Figure 10**. The Active Directory-based activation flow
For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
## Step-by-step configuration: Active Directory-based activation
> [!NOTE]
> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 11.
![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg)
**Figure 11**. Adding the Volume Activation Services role
4. Click the link to launch the Volume Activation Tools (Figure 12).
![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg)
**Figure 12**. Launching the Volume Activation Tools
5. Select the **Active Directory-Based Activation** option (Figure 13).
![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg)
**Figure 13**. Selecting Active Directory-Based Activation
6. Enter your KMS host key and (optionally) a display name (Figure 14).
![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg)
**Figure 14**. Entering your KMS host key
7. Activate your KMS host key by phone or online (Figure 15).
![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg)
**Figure 15**. Choosing how to activate your product
> [!NOTE]
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
>
>
> - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
>
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
>
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
>
> - [Office 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
8. After activating the key, click **Commit**, and then click **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
3. If the computer is not joined to your domain, join it to the domain.
4. Sign in to the computer.
5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
>
> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md).
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
---
title: Activate using Active Directory-based activation (Windows 10)
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
ms.custom: seo-marvel-apr2020
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
manager: dougeby
ms.author: greglin
keywords: vamt, volume activation, activation, windows activation
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 01/13/2022
ms.topic: article
ms.collection: highpri
---
# Activate using Active Directory-based activation
**Applies to**
Windows 11
Windows 10
Windows 8.1
Windows 8
Windows Server 2012 R2
Windows Server 2012
Windows Server 2016
Windows Server 2019
Office 2021*
Office 2019*
Office 2016*
Office 2013*
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1)
- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients.
Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
The process proceeds as follows:
1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
2. Microsoft verifies the KMS host key, and an activation object is created.
3. Client computers are activated by receiving the activation object from a domain controller during startup.
> [!div class="mx-imgBorder"]
> ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg)
**Figure 10**. The Active Directory-based activation flow
For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
## Step-by-step configuration: Active Directory-based activation
> [!NOTE]
> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 11.
![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg)
**Figure 11**. Adding the Volume Activation Services role
4. Click the link to launch the Volume Activation Tools (Figure 12).
![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg)
**Figure 12**. Launching the Volume Activation Tools
5. Select the **Active Directory-Based Activation** option (Figure 13).
![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg)
**Figure 13**. Selecting Active Directory-Based Activation
6. Enter your KMS host key and (optionally) a display name (Figure 14).
![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg)
**Figure 14**. Entering your KMS host key
7. Activate your KMS host key by phone or online (Figure 15).
![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg)
**Figure 15**. Choosing how to activate your product
> [!NOTE]
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
>
>
> - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
>
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
>
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
>
> - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
8. After activating the key, click **Commit**, and then click **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
3. If the computer is not joined to your domain, join it to the domain.
4. Sign in to the computer.
5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
>
> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md).
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)

20
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -162,7 +162,7 @@ After you download this file, the name will be extremely long (ex: 19042.508.200
The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
```powershell
(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
(Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
```
The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
@ -178,10 +178,10 @@ All VM data will be created under the current path in your PowerShell prompt. Co
>
>- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
>- If you have never created an external VM switch before, then just run the commands below.
>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
@ -238,7 +238,6 @@ PS C:\autopilot&gt;
Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples:
![Windows setup example 1](images/winsetup1.png)
![Windows setup example 2](images/winsetup2.png)
@ -251,7 +250,6 @@ Make sure that the VM booted from the installation ISO, select **Next**, select
![Windows setup example 6](images/winsetup6.png)
After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example:
![Windows setup example 7.](images/winsetup7.png)
@ -279,12 +277,12 @@ Follow these steps to run the PowerShell script:
1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device:
```powershell
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
New-Item -Type Directory -Path "C:\HWID"
Set-Location C:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo -Force
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
```
1. When you're prompted to install the NuGet package, choose **Yes**.
@ -349,7 +347,7 @@ Follow these steps to run the PowerShell script:
With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. If you're asked **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**.
Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**.
![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg)
@ -616,7 +614,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
### Delete (deregister) Autopilot device
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
> [!div class="mx-imgBorder"]
> ![Delete device step 1.](images/delete-device1.png)

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
View File

@ -8508,7 +8508,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the semi-annual channel.
- **sacDevice** Device in the General Availability Channel.
- **wUfBConnected** Result of WUfB connection check.

7
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: siosulli
author: RyanHechtMSFT
ms.author: dansimp
manager: dansimp
ms.date: 11/29/2021
@ -176,4 +176,7 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
|ocsp.digicert.com/*|
|r.manage.microsoft.com|
|tile-service.weather.microsoft.com|
|settings-win.data.microsoft.com|
|settings-win.data.microsoft.com|
|msedge.api.cdp.microsoft.com|
|\*.dl.delivery.mp.microsoft.com|

2
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1884,7 +1884,7 @@ Most restricted value is 0.
ADMX Info:
- GP English name: Allow Clipboard synchronization across devices<br>
- GP Friendly name: Allow Clipboard synchronization across devices<br>
- GP name: AllowCrossDeviceClipboard<br>
- GP path: System/OS Policies<br>
- GP ADMX file name: OSPolicy.admx<br>

2
windows/privacy/required-windows-11-diagnostic-events-and-fields.md
View File

@ -6379,7 +6379,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the semi-annual channel.
- **sacDevice** Device in the General Availability Channel.
- **wUfBConnected** Result of WUfB connection check.

2
windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

@ -7269,7 +7269,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the semi-annual channel.
- **sacDevice** Device in the General Availability Channel.
- **wUfBConnected** Result of WUfB connection check.

4
windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
View File

@ -12,7 +12,7 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.date: 01/26/2022
ms.reviewer:
---
@ -33,7 +33,7 @@ The following known issue has been fixed in the [Cumulative Security Update for
Failure occurred in LogonUserExEx. <br>
User Action: Ensure the credentials for the task are correctly specified. <br>
Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. For example:
- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
> Log Name: Microsoft-Windows-NTLM/Operational
Source: Microsoft-Windows-Security-Netlogon
Event ID: 8004

46
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -87,17 +87,51 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad
### Verify the onPremisesDistinguishedName attribute is synchronized
The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
2. Click **Login** and provide Azure credentials
2. Select **Sign in to Graph Explorer** and provide Azure credentials.
3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
> [!NOTE]
> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted.
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent.
![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png)
4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**.
> [!NOTE]
> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
#### Request
<!-- {
"blockType": "request",
"name": "get_user_select"
} -->
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
```
5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute is not synchronized the value will be **null**.
#### Response
<!-- {
"blockType": "response",
"truncated": true,
"@odata.type": "microsoft.graph.user"
} -->
```http
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,userPrincipalName,onPremisesDistinguishedName)/$entity",
"displayName": "Nestor Wilke",
"userPrincipalName": "NestorW@contoso.com",
"onPremisesDistinguishedName" : "CN=Nestor Wilke,OU=Operations,DC=contoso,DC=com"
}
```
## Prepare the Network Device Enrollment Services (NDES) Service Account

10
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
View File

@ -55,15 +55,17 @@ Windows Hello for Business must have a public key infrastructure regardless of t
This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
For more details about configuring a Windows enterprise public key infrastructure and installing Active Directory Certificate Services, see [Follow the Windows Hello for Business hybrid key trust deployment guide](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki#follow-the-windows-hello-for-business-hybrid-key-trust-deployment-guide) and [Install the Certification Authority](/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority).
> [!NOTE]
> Never install a certificate authority on a domain controller in a production environment.
### Lab-based public key infrastructure
The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
>[!NOTE]
>Never install a certificate authority on a domain controller in a production environment.
1. Open an elevated Windows PowerShell prompt.
2. Use the following command to install the Active Directory Certificate Services role.
```PowerShell
@ -148,4 +150,4 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
3. New Installation Baseline (*You are here*)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)

2
windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -15,7 +15,7 @@ manager: dansimp
# How to configure Diffie Hellman protocol over IKEv2 VPN connections
>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10, Windows 11
>Applies To: Windows Server (General Availability Channel), Windows Server 2016, Windows 10, Windows 11
In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.

4
windows/security/information-protection/tpm/change-the-tpm-owner-password.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 12/03/2021
ms.date: 01/18/2022
---
# Change the TPM owner password
@ -46,7 +46,7 @@ Instead of changing your owner password, you can also use the following options
## Change the TPM owner password
With Windows 10, version 1507 or 1511, or Windows 11, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.

4
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -48,6 +48,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun
> [!NOTE]
> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable".
> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behavior is expected only on later versions of the operating system (Windows 11, Windows Server 2022, and later). On previous versions, 4656 events are not generated during subkey creation.
>
> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.
> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.

14
windows/security/threat-protection/auditing/event-4688.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 09/07/2021
ms.date: 01/24/2022
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -25,7 +25,8 @@ ms.technology: windows-sec
This event generates every time a new process starts.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
> [Note]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
@ -96,7 +97,8 @@ This event generates every time a new process starts.
- **Security ID** \[Type = SID\]**:** SID of account that requested the "create process" operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> [Note]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the "create process" operation.
@ -116,11 +118,13 @@ This event generates every time a new process starts.
**Target Subject** \[Version 2\]**:**
> **Note**&nbsp;&nbsp;This event includes the principal of the process creator, but this is not always sufficient if the target context is different from the creator context. In that situation, the subject specified in the process termination event does not match the subject in the process creation event even though both events refer to the same process ID. Therefore, in addition to including the creator of the process, we will also include the target principal when the creator and target do not share the same logon.
> [Note]
> This event includes the principal of the process creator, but this is not always sufficient if the target context is different from the creator context. In that situation, the subject specified in the process termination event does not match the subject in the process creation event even though both events refer to the same process ID. Therefore, in addition to including the creator of the process, we will also include the target principal when the creator and target do not share the same logon.
- **Security ID** \[Type = SID\] \[Version 2\]**:** SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> [Note]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account.

4
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -35,11 +35,11 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
- Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
## System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](/lifecycle/).
Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. For details, refer to the [Microsoft Lifecycle Policy](/lifecycle/).
## How to run a scan

2
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -35,6 +35,8 @@
href: manage-packaged-apps-with-windows-defender-application-control.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules
href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings
href: understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies
href: deploy-multiple-windows-defender-application-control-policies.md
- name: Create your WDAC policy

2
windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
View File

@ -55,7 +55,7 @@ Ea Value Length: 7e
## Enabling managed installer logging events
Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events.
## Deploying the Managed Installer rule collection

51
windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
View File

@ -20,21 +20,22 @@ ms.technology: windows-sec
# Guidance on Creating WDAC Deny Policies
With Windows Defender Application Control (WDAC), you can create application control policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths.
With Windows Defender Application Control (WDAC), you can create policies to explicitly deny specific drivers and applications.
In this article we explain:
Topics this article will be discussing are:
1. File Rule Precedence Order
2. Adding Allow Rules
3. Singe Policy Considerations
4. Multiple Policy Considerations
5. Best Practices
6. Tutorial/Walkthrough
6. Tutorial
## File Rule Precedence Order
To create effective WDAC deny policies, it is crucial to understand how WDAC parses the policy. The WDAC engine evaluates files against the policy in the following order.
To create effective WDAC deny policies, it's crucial to understand how WDAC parses the policy. The WDAC engine evaluates files against the policy in the following order.
1. Explicit deny rules - if there is an explicit deny rule, do not process the rest of the rules; the file is untrusted.
1. Explicit deny rules - if any explicit deny rule exists for a file, it will not run even if other rules are created to try to allow it. Deny rules can use any [rule level](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
2. Explicit allow rules.
@ -42,12 +43,11 @@ To create effective WDAC deny policies, it is crucial to understand how WDAC par
4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG.
Explicit allow and deny rules encompass rules at any level (for example hash rules, signer rules path rules, attribute rules, or package family name rules). If there is an explicit deny rule, WDAC does not process any other rules, meaning a deny rule always takes precedence in the case where a deny and allow rule would be at odds.
5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
## Interaction with Existing Policies
### Adding Allow Rules
In the scenario where there is not an explicit allow rule, there is not a managed installer or ISG EA and ISG is not configured, WDAC will block the file as there is nothing in the policy vouching for trust of the file.
### Adding Allow Rules
If this deny policy is the only policy on the device, the following rule(s) need to be added to the policy in addition to the deny/block rules to trust for the driver files outside of the intended blocklisted ones:
@ -67,10 +67,11 @@ If this deny policy is the only policy on the device, the following rule(s) need
```
If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-option, the following section needs to be added to the policy in addition to the deny/block rules to trust for the driver and user mode files outside of the intended blocklisted ones:
```xml
<FileRules>
<Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />
<Allow ID="ID_ALLOW_A_2" FriendlyName="Allow User mode components" FileName="*" />
<Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />
<Allow ID="ID_ALLOW_A_2" FriendlyName="Allow User mode components" FileName="*" />
</FileRules>
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Kernel Mode Signing Scenario">
@ -89,8 +90,10 @@ If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-o
</SigningScenario>
</SigningScenarios>
```
## Single Policy Considerations
If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules should not be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the [WDAC Wizard](wdac-wizard-merging-policies.md) or using the following PowerShell command:
If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules shouldn't be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the [WDAC Wizard](wdac-wizard-merging-policies.md) or using the following PowerShell command:
```PowerShell
$DenyPolicy = <path_to_deny_policy>
@ -99,50 +102,56 @@ Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $Exist
```
## Multiple Policy Considerations
If you are currently using [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) on a device, there are two options for integrating the blocklist into your policy set.
(Recommended) The first option is to keep the blocklist as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be [allowed by both WDAC policies to run on the device](deploy-multiple-windows-defender-application-control-policies.md#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example:
If you're currently using [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) on a device, there are two options for integrating the blocklist into your policy set.
Policy 1 is an allowlist of Windows and Microsoft-signed applications. Policy 2 is our new deny policy, which blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there is an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there is an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, for example, ExampleApp.exe, will not be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1.
(Recommended) The first option is to keep the blocklist as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be [allowed by both WDAC policies to run on the device](deploy-multiple-windows-defender-application-control-policies.md#base-and-supplemental-policy-interaction), you'll need to add the Allow All rule(s) to your deny policy. Doing so won't override the set of applications allowed by WDAC illustrated by the following example:
Policy 1 is an allowlist of Windows and Microsoft-signed applications. Policy 2 is our new deny policy, which blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there's an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there's an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, for example, ExampleApp.exe, won't be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1.
The second option involves merging the blocklist with your existing WDAC policy, regardless if the policy is an allowlist policy and contains allow and/or deny rules.
## Best Practices
1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3077 block events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide.md)
2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher, which quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules.
1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3077 block events](event-id-explanations.md) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide.md)
2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher, which quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules.
## Creating a Deny Policy Tutorial
Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC Wizard](https://webapp-wdac-wizard.azurewebsites.net/). We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash.
Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC Wizard](https://webapp-wdac-wizard.azurewebsites.net/). We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash.
### Software Publisher Based Deny Rule
```Powershell
$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath <binary_to_block> -Deny -Fallback FileName,Hash
```
### Software Attributes Based Deny Rule
```Powershell
$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath <binary_to_block> -Deny -Fallback Hash
```
### Hash Based Deny Rule
```PowerShell
New-CIPolicyRule -Level Hash -DriverFilePath <binary_to_block> -Deny
```
### Adding Allow All Rules
If necessary, as in the cases listed above, [Allow All Rules](#adding-allow-rules) may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the Allow All xml present on the client system in the WDAC template folder:
If necessary, as in the cases listed above, [Allow All Rules](#adding-allow-rules) may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the Allow All xml present on the client system in the WDAC template folder:
```PowerShell
$DenyPolicy = <path_to_deny_policy>
$AllowAllPolicy = $Env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml"
Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPolicy
```
### Deploying the Deny Policy
Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options:
Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options:
1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md)
@ -150,4 +159,4 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)

71
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
View File

@ -11,10 +11,10 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 06/02/2021
ms.date: 02/01/2022
ms.technology: windows-sec
---
@ -22,71 +22,71 @@ ms.technology: windows-sec
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
- Event IDs beginning with 30 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
- Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
- Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
- Events about the control of MSI installers, scripts, and COM objects appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
> [!NOTE]
> These event IDs are not applicable on Windows Server Core edition.
> These event IDs are not included on Windows Server Core edition.
## Microsoft Windows CodeIntegrity Operational log event IDs
## WDAC events found in the Microsoft Windows CodeIntegrity Operational log
| Event ID | Explanation |
|--------|-----------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
| 3004 | This event isn't common and may occur with or without a WDAC policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. |
| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option *20 Enabled:Revoked Expired As Unsigned* in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. |
| 3034 | This event isn't common. It is the audit mode equivalent of event 3033 described above. |
| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the "Correlation ActivityID" found in the "System" portion of the event. |
| 3099 | Indicates that a policy has been loaded. This event also includes information about the policy options that were specified by the policy. Refer to the |
## Microsoft Windows AppLocker MSI and Script log event IDs
## WDAC events found in the Microsoft Windows AppLocker MSI and Script log
| Event ID | Explanation |
|--------|-----------|
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
| 8029 | Block script/MSI file |
| 8028 | This event indicates that a script host, such as PowerShell, queried WDAC about a file the script host was about to run. Since the WDAC policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts do not integrate with WDAC. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes.md). |
| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the "Correlation ActivityID" found in the "System" portion of the event. |
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide more diagnostic information.
Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
| Event ID | Explanation |
|--------|---------|
| 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
| 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the policy is in audit mode. |
| 3092 | This event is the enforcement mode equivalent of 3091. |
3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template that appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
The above events are reported per active policy on the system, so you may see multiple events for the same file.
### SmartLocker template
### ISG and MI diagnostic event details
Below are the fields that help to diagnose what a 3090, 3091, or 3092 event indicates.
The following information is found in the details for 3090, 3091, and 3092 events.
| Name | Explanation |
|------|------|
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI |
| SmartlockerEnabled | Policy trusts the ISG |
| PassesSmartlocker | File had positive reputation |
| ManagedInstallerEnabled | Indicates whether the specified policy enables managed installer trust |
| PassesManagedInstaller | Indicates whether the file originated from a MI |
| SmartlockerEnabled | Indicates whether the specified policy enables ISG trust |
| PassesSmartlocker | Indicates whether the file had positive reputation according to the ISG |
| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
| PolicyName | The name of the policy to which the event applies |
### Enabling ISG and MI diagnostic events
In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
```
To enable 3090 allow events, and 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
To enable 3090 allow events, create a TestFlags regkey with a value of 0x300 as shown in the following PowerShell command. Then restart your computer.
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
## System Integrity Policy Options
3091 and 3092 events are inactive on some versions of Windows. The above steps will also turn on those events.
## Event ID 3099 Options
The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
| Bit Address | Policy Rule Option |
@ -113,6 +113,7 @@ The WDAC policy rule-option values can be derived from the "Options" field in th
| 28 | `Enabled:Update Policy No Reboot` |
## Appendix
A list of other relevant event IDs and their corresponding description.
| Event ID | Description |

2
windows/security/threat-protection/windows-defender-application-control/index.yml
View File

@ -71,6 +71,8 @@ landingContent:
links:
- text: Understanding policy and file rules
url: select-types-of-rules-to-create.md
- text: Understanding WDAC secure settings
url: understanding-wdac-policy-settings.md
- linkListType: how-to-guide
links:
- text: Allow managed installer and configure managed installer rules

12
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -10,11 +10,11 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 07/15/2021
ms.date: 01/26/2022
ms.technology: windows-sec
---
@ -22,15 +22,17 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
WDAC is used to restrict devices to run only approved apps, while the operating system is hardened against kernel memory attacks using [hypervisor-protected code integrity (HVCI)](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).
## Windows Defender Application Control policy rules
To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:

76
windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Understanding Windows Defender Application Control (WDAC) secure settings
description: Learn about secure settings in Windows Defender Application Control.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: jgeurten
ms.author: dansimp
manager: dansimp
ms.date: 10/11/2021
ms.technology: mde
---
# Understanding WDAC Policy Settings
Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy. <br/>
An example settings section of a WDAC Policy:
```xml
<Settings>
<Setting Provider="Contoso" Key="FooApplication" ValueName="DisableMacroExecution">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
</Settings>
```
### Example Scenario
An application that may want to restrict its capabilities, when used on a system with an active WDAC policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contosos Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they dont want Foo Application to execute macros on a system with a WDAC policy.<br/>
### WldpQuerySecurityPolicy
API that queries the secure settings of a WDAC policy.
### Syntax
``` C++
HRESULT WINAPI WldpQuerySecurityPolicy(
_In_ const UNICODE_STRING * Provider,
_In_ const UNICODE_STRING * Key,
_In_ const UNICODE_STRING * ValueName,
_Out_ PWLDP_SECURE_SETTING_VALUE_TYPE ValueType,
_Out_writes_bytes_opt_(*ValueSize) PVOID Value,
_Inout_ PULONG ValueSize)
```
### Parameters
Provider [in]
Setting Provider name.
#### Key [in]
Key name of the Key-Value pair under Setting Provider "Provider".
#### ValueName [in]
The value name of the "Key-Value" pair.
#### ValueType [in, out]
Pointer to receive the value type.
#### Value [in, out]
Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value.
#### ValueSize [in, out]
On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer.
#### Return Value
This method returns S_OK if successful or a failure code otherwise.
#### Remarks
See [WDAC Policy Settings] for more information on WDAC policy settings.

5
windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
View File

@ -26,6 +26,9 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
> [!IMPORTANT]
> The existing web-based mechanism for the Device Guard Signing Service v1 will be retired on June 9, 2021. Please transition to the PowerShell based version of the service [(DGSS v2)](/microsoft-store/device-guard-signing-portal). For more details, see [Sign an MSIX package with Device Guard signing](/windows/msix/package/signing-package-device-guard-signing) and [Device Guard signing](/microsoft-store/device-guard-signing-portal).
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@ -47,4 +50,4 @@ Before you get started, be sure to review these best practices:
4. After the files are uploaded, click **Sign** to sign the code integrity policy.
5. Click **Download** to download the signed code integrity policy.
When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again.
When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again.

4
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
View File

@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.date: 08/12/2021
ms.date: 02/10/2022
ms.technology: windows-sec
---
@ -42,7 +42,7 @@ For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll**
```powershell
$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe'
$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
```

44
windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
View File

@ -29,22 +29,18 @@ You can choose to hide the section from users of the machine. This can be useful
## Hide the Device security section
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
This can only be done in Group Policy.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
> [!IMPORTANT]
> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > Device security**.
3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
4. Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**.
4. Open the **Hide the Device security area** setting and set it to **Enabled**. Select **OK**.
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
@ -56,18 +52,16 @@ This can only be done in Group Policy.
## Disable the Clear TPM button
If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
>[!IMPORTANT]
>### Requirements
>
>You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
> [!IMPORTANT]
> You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > Device security**.
3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Click **OK**.
4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Select **OK**.
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
@ -76,23 +70,25 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > Device security**.
3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Click **OK**.
4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Select **OK**.
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Disable Memory integrity switch
If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting on their computers, you can disable the **Memory integrity** switch.
> [!IMPORTANT]
> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
3. Expand the tree to **Windows components > Windows Security > Device security**.
3. Expand the tree to **Windows components** > **Windows Security** > **Device security**.
4. Open the **Disable Memory integrity switch** setting and set it to **Enabled**. Click **OK**.
4. Open the **Disable Memory integrity switch** setting and set it to **Enabled**. Select **OK**.
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).

Some files were not shown because too many files have changed in this diff Show More