deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-2

Browse Source
This commit is contained in:
Andrei-George Stoica 2022-03-09 11:24:26 +02:00 committed by GitHub
commit 447c5e1811
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
304 changed files with 11862 additions and 5337 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn
View File

@ -1,4 +1,4 @@
{:allowed-branchname-matches ["master" "main"]
{:allowed-branchname-matches ["main"]
:allowed-filename-matches ["windows/"]
:targets

1
.gitignore vendored
View File

@ -14,6 +14,7 @@ common/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
settings.json
# User-specific files
.vs/

858
.openpublishing.publish.config.json
View File

@ -1,439 +1,421 @@
{
"build_entry_point": "",
"docsets_to_publish": [
{
"docset_name": "education",
"build_source_folder": "education",
"build_output_subfolder": "education",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "hololens",
"build_source_folder": "devices/hololens",
"build_output_subfolder": "hololens",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
"build_output_subfolder": "internet-explorer",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "keep-secure",
"build_source_folder": "windows/keep-secure",
"build_output_subfolder": "keep-secure",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
"build_output_subfolder": "microsoft-edge",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "release-information",
"build_source_folder": "windows/release-information",
"build_output_subfolder": "release-information",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "smb",
"build_source_folder": "smb",
"build_output_subfolder": "smb",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "store-for-business",
"build_source_folder": "store-for-business",
"build_output_subfolder": "store-for-business",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-access-protection",
"build_source_folder": "windows/access-protection",
"build_output_subfolder": "win-access-protection",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-app-management",
"build_source_folder": "windows/application-management",
"build_output_subfolder": "win-app-management",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-client-management",
"build_source_folder": "windows/client-management",
"build_output_subfolder": "win-client-management",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-configuration",
"build_source_folder": "windows/configuration",
"build_output_subfolder": "win-configuration",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-deployment",
"build_source_folder": "windows/deployment",
"build_output_subfolder": "win-deployment",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-device-security",
"build_source_folder": "windows/device-security",
"build_output_subfolder": "win-device-security",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-configure",
"build_source_folder": "windows/configure",
"build_output_subfolder": "windows-configure",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-deploy",
"build_source_folder": "windows/deploy",
"build_output_subfolder": "windows-deploy",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
"build_output_subfolder": "windows-hub",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-manage",
"build_source_folder": "windows/manage",
"build_output_subfolder": "windows-manage",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-plan",
"build_source_folder": "windows/plan",
"build_output_subfolder": "windows-plan",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-privacy",
"build_source_folder": "windows/privacy",
"build_output_subfolder": "windows-privacy",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-security",
"build_source_folder": "windows/security",
"build_output_subfolder": "windows-security",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-update",
"build_source_folder": "windows/update",
"build_output_subfolder": "windows-update",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-threat-protection",
"build_source_folder": "windows/threat-protection",
"build_output_subfolder": "win-threat-protection",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-whats-new",
"build_source_folder": "windows/whats-new",
"build_output_subfolder": "win-whats-new",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
}
],
"notification_subscribers": [
"elizapo@microsoft.com"
],
"sync_notification_subscribers": [
"dstrome@microsoft.com"
],
"branches_to_filter": [
""
],
"git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
"git_repository_branch_open_to_public_contributors": "public",
"skip_source_output_uploading": false,
"need_preview_pull_request": true,
"resolve_user_profile_using_github": true,
"contribution_branch_mappings": {},
"dependent_repositories": [
{
"path_to_root": "_themes.pdf",
"url": "https://github.com/Microsoft/templates.docs.msft.pdf",
"branch": "master",
"branch_mapping": {}
},
{
"path_to_root": "_themes",
"url": "https://github.com/Microsoft/templates.docs.msft",
"branch": "master",
"branch_mapping": {}
}
],
"branch_target_mapping": {
"live": [
"Publish",
"Pdf"
],
"master": [
"Publish",
"Pdf"
]
},
"need_generate_pdf_url_template": true,
"targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
},
"docs_build_engine": {
"name": "docfx_v3"
},
"need_generate_pdf": false,
"need_generate_intellisense": false
{
"build_entry_point": "",
"docsets_to_publish": [
{
"docset_name": "education",
"build_source_folder": "education",
"build_output_subfolder": "education",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "hololens",
"build_source_folder": "devices/hololens",
"build_output_subfolder": "hololens",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
"build_output_subfolder": "internet-explorer",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "keep-secure",
"build_source_folder": "windows/keep-secure",
"build_output_subfolder": "keep-secure",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
"build_output_subfolder": "microsoft-edge",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "release-information",
"build_source_folder": "windows/release-information",
"build_output_subfolder": "release-information",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "smb",
"build_source_folder": "smb",
"build_output_subfolder": "smb",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "store-for-business",
"build_source_folder": "store-for-business",
"build_output_subfolder": "store-for-business",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-access-protection",
"build_source_folder": "windows/access-protection",
"build_output_subfolder": "win-access-protection",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-app-management",
"build_source_folder": "windows/application-management",
"build_output_subfolder": "win-app-management",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-client-management",
"build_source_folder": "windows/client-management",
"build_output_subfolder": "win-client-management",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-configuration",
"build_source_folder": "windows/configuration",
"build_output_subfolder": "win-configuration",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-deployment",
"build_source_folder": "windows/deployment",
"build_output_subfolder": "win-deployment",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-device-security",
"build_source_folder": "windows/device-security",
"build_output_subfolder": "win-device-security",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-configure",
"build_source_folder": "windows/configure",
"build_output_subfolder": "windows-configure",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-deploy",
"build_source_folder": "windows/deploy",
"build_output_subfolder": "windows-deploy",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
"build_output_subfolder": "windows-hub",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-plan",
"build_source_folder": "windows/plan",
"build_output_subfolder": "windows-plan",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-privacy",
"build_source_folder": "windows/privacy",
"build_output_subfolder": "windows-privacy",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-security",
"build_source_folder": "windows/security",
"build_output_subfolder": "windows-security",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-update",
"build_source_folder": "windows/update",
"build_output_subfolder": "windows-update",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-threat-protection",
"build_source_folder": "windows/threat-protection",
"build_output_subfolder": "win-threat-protection",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-whats-new",
"build_source_folder": "windows/whats-new",
"build_output_subfolder": "win-whats-new",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
}
],
"notification_subscribers": [
"elizapo@microsoft.com"
],
"sync_notification_subscribers": [
"dstrome@microsoft.com"
],
"branches_to_filter": [
""
],
"git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
"git_repository_branch_open_to_public_contributors": "public",
"skip_source_output_uploading": false,
"need_preview_pull_request": true,
"resolve_user_profile_using_github": true,
"dependent_repositories": [
{
"path_to_root": "_themes.pdf",
"url": "https://github.com/Microsoft/templates.docs.msft.pdf",
"branch": "main",
"branch_mapping": {}
},
{
"path_to_root": "_themes",
"url": "https://github.com/Microsoft/templates.docs.msft",
"branch": "main",
"branch_mapping": {}
}
],
"branch_target_mapping": {
"live": [
"Publish",
"Pdf"
],
"main": [
"Publish",
"Pdf"
]
},
"need_generate_pdf_url_template": true,
"targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
},
"docs_build_engine": {},
"contribution_branch_mappings": {},
"need_generate_pdf": false,
"need_generate_intellisense": false
}

48
.openpublishing.redirection.json
View File

@ -1,5 +1,20 @@
{
"redirections": [
{
"source_path": "windows/client-management/mdm/browserfavorite-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-10-mobile-security-guide.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/windowssecurityauditing-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
@ -5157,7 +5172,7 @@
},
{
"source_path": "windows/device-security/windows-10-mobile-security-guide.md",
"redirect_url": "/windows/security/threat-protection/windows-10-mobile-security-guide",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -5462,7 +5477,7 @@
},
{
"source_path": "windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -12072,7 +12087,7 @@
},
{
"source_path": "windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "/windows/access-protection/installing-digital-certificates-on-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -13562,7 +13577,7 @@
},
{
"source_path": "windows/keep-secure/windows-10-mobile-security-guide.md",
"redirect_url": "/windows/device-security/windows-10-mobile-security-guide",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -19291,6 +19306,31 @@
"source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md",
"redirect_url": "/legal/windows/license-terms-windows-diagnostic-data-for-powershell",
"redirect_document_id": false
},
{
"source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md",
"redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions",
"redirect_document_id": true
},
{
"source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md",
"redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions",
"redirect_document_id": false
},
{
"source_path": "windows/privacy/manage-windows-1709-endpoints.md",
"redirect_url": "/windows/privacy/manage-windows-21h2-endpoints",
"redirect_document_id": true
},
{
"source_path": "windows/privacy/manage-windows-1803-endpoints.md",
"redirect_url": "/windows/privacy/manage-windows-21h2-endpoints",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-11-whats-new.md",
"redirect_url": "/windows/whats-new/windows-11-overview",
"redirect_document_id": false
}
]
}

1
browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
View File

@ -34,6 +34,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage
| Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.<p>If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.<p>**In Internet Explorer 9 and 10:**<br>If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.<p>**In at least IE11:**<br>If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.<p>If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
| Don't run antimalware programs against ActiveX controls<br>(Internet, Restricted Zones) | <ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone</li></ul> | IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
| Don't run antimalware programs against ActiveX controls<br>(Intranet, Trusted, Local Machine Zones) | <ul><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone</li><li>Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone</li></ul> | IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.<p>If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.<p>If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
| Hide Internet Explorer 11 Application Retirement Notification | Administrative Templates\Windows Components\Internet Explorer | Internet Explorer 11 on Windows 10 20H2 & newer | This policy setting allows you to prevent the notification bar that informs users of Internet Explorer 11s retirement from showing up. <br>If you disable or dont configure this setting, the notification will be shown. |
| Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.<p>If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.<p>If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.<p>If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. |
| Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.<p>If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but dont specify a report location, Enterprise Mode will still be available to your users, but you wont get any reports.<p>If you disable or dont configure this policy setting, the menu option wont appear and users wont be able to turn on Enterprise Mode locally. |
| Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.<p>If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.<p>If you disable or dont configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.<p>**Note:**<br>You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |

51
education/windows/windows-11-se-overview.md
View File

@ -37,27 +37,38 @@ Windows 11 SE is only available preinstalled on devices from OEMs. The OEM insta
Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
---
| Application | Min version | Vendor |
| --- | --- | --- |
| Chrome | 95.0.4638.54 | Google |
| Dragon Assistant | 3.2.98.061 | Nuance Communications |
| Dragon Professional Individual | 15.00.100 | Nuance Communications |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | e-speaking |
| Free NaturalReader | 16.1.2 | Natural Soft |
| Jaws for Windows | 2022.2109.84 ILM | Freedom Scientific |
| Kite Student Portal | 8.0.1 | Dynamic Learning Maps |
| NextUp Talker | 1.0.49 | NextUp Technologies, LLC. |
| NonVisual Desktop Access | 2021.2 | NV Access |
| Read and Write | 12.0.71 | Texthelp Systems Ltd. |
| SuperNova Magnifier & Screen Reader | 20.03 | Dolphin Computer Access |
| SuperNova Magnifier & Speech | 20.03 | Dolphin Computer Access |
| Text Aloud | 4.0.64 | Nextup.com |
| Zoom | 5.8.3 (1581) | Zoom Inc |
| Zoomtext Fusion by AiSquared | 2022.2109.10 | ORF Fusion |
| ZoomText Magnifier/Reader | 2022.2109.25ILM | AI Squared |
---
| Application | Supported version | Vendor |
| --- | --- | --- |
|Blub Digital Portoflio |0.0.7.0 |bulb|
|CA Secure Browser |14.0.0 |Cambium Development|
|Cisco Umbrella |3.0.110.0 |Cisco|
|Dragon Professional Individual |15.00.100 |Nuance Communications|
|DRC INSIGHT Online Assessments |12.0.0.0 |DRC|
|e-Speaking Voice and Speech recognition|4.4.0.8 |e-speaking|
|Free NaturalReader |16.1.2 |Natural Soft|
|GoGuardian |1.4.4 |GoGuardian|
|Google Chrome |97.0.4692.71 |Google|
|JAWS for Windows |2022.2112.24 |Freedom Scientific|
|Kite Student Portal |8.0.1|Dynamic Learning Maps|
|Kortext |2.3.418.0 |Kortext|
|LanSchool |9.1.0.46 |Stoneware|
|Lightspeed Smart Agent |1.9.1 |Lightspeed Systems|
|Mozilla Firefox |96.0.2 |Mozilla|
|NextUp Talker |1.0.49 |NextUp Technologies|
|NonVisual Desktop Access |2021.3.1 |NV Access|
|NWEA Secure Testing Browser |5.4.300.0 |NEWA|
|Read&Write for Windows (US English) |12.0.60.0 |Texthelp Ltd.|
|Safe Exam Broswer |3.3.1 |Safe Exam Broswer|
|Secure Browser |4.8.3.376 |Questar, Inc|
|SuperNova Magnifier & Screen Reader | 20.03 |Dolphin Computer Access|
|SuperNova Magnifier & Speech | 20.03 |Dolphin Computer Access|
|Respondus Lockdown Browser |2.0.8.03 |Respondus|
|TestNav |1.10.2.0 |Pearson Education Inc|
|SecureBrowser |14.0.0 |Cambium Development|
|Zoom |5.9.1 (2581) |Zoom|
|ZoomText Fusion |2022.2109.10 |Freedom Scientific|
|ZoomText Magnifier/Reader |2022.2109.25 |Freedom Scientific|
### Enabled apps

2
windows/application-management/remove-provisioned-apps-during-update.md
View File

@ -12,7 +12,7 @@ manager: dansimp
---
# How to keep apps removed from Windows 10 from returning during an update
>Applies to: Windows 10 (Semi-Annual Channel)
> Applies to: Windows 10 (General Availability Channel)
When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed return post-update. This can happen if the computer was offline when you removed the apps. This issue was fixed in Windows 10, version 1803.

7
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -9,7 +9,7 @@ ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.date: 09/14/2021
ms.date: 01/18/2022
ms.reviewer:
manager: dansimp
ms.topic: article
@ -55,8 +55,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
```
where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
This command only works for AADJ device users already added to any of the local groups (administrators).
Otherwise this command throws the below error. For example:
In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example:
- for cloud only user: "There is no such global user or group : *name*"
- for synced user: "There is no such global user or group : *name*" </br>
@ -67,7 +66,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
- Adding users using policy
Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.

66
windows/client-management/mdm/Language-pack-management-csp.md
View File

@ -13,41 +13,71 @@ ms.date: 06/22/2021
# Language Pack Management CSP
The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings.
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
1. Enumerate installed languages with GET command on the "InstalledLanguages" node
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/LanguageFeatures**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/LanguageFeatures**
The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1).
- Indicates the language pack installed is a System Language Pack (non-LXP)
- Indicates that the LXP is installed.
- Indicates that both are installed.
The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is an integer representation of either [language pack](/windows-hardware/manufacture/desktop/available-language-packs-for-windows?view=windows-11&preserve-view=true) or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1).
2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example,
- **1**- Indicates that only the Language Pack cab is installed.
- **2**- Indicates that only the LXP is installed.
- **3**- Indicates that both are installed.
**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
The **LanguageFeatures** node is a bitmap representation of what [Language Features](/windows-hardware/manufacture/desktop/features-on-demand-language-fod?view=windows-11&preserve-view=true) are installed for a language on a device:
The installation is an asynchronous operation. You can query the **Status** node by using the following commands:
- Basic Typing = 0x1
- Fonts = 0x2
- Handwriting = 0x4
- Speech = 0x8
- TextToSpeech = 0x10
- OCR = 0x20
- LocaleData = 0x40
- SupplementFonts = 0x80
2. Install language pack and features with the EXECUTE command on the **StartInstallation** node of the language. The language installation will try to install the best matched language packs and features for the provided language.
> [!NOTE]
> If not previously set, installation will set the policy to block cleanup of unused language packs and features on the device to prevent unexpected deletion.
- Admins can optionally copy the language to the devices international settings immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. false (default)- will take no action; true- will set the following international settings to reflect the newly installed language:
- System Preferred UI Language
- System Locale
- Default settings for new users
- Input Method (keyboard)
- Locale
- Speech Recognizer
- User Preferred Language List
- Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. false- will install only required features; true (default)- will install all available features.
Here are the sample commands to install French language with required features and copy to the device's international settings:
1. **ADD ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings (true)**
3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (false)**
4. **EXECUTE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
The installation is an asynchronous operation. You can query the **Status** or **ErrorCode** nodes by using the following commands:
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
Status: 0 not started; 1 in process; 2 succeeded; 3 failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed.
Status: 0 not started; 1 in progress; 2 succeeded; 3 failed; 4 - partial success (A partial success indicates not all the provisioning operations succeeded, for example, there was an error installing the language pack or features).
> [!NOTE]
> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail.
ErrorCode: An HRESULT that could help diagnosis if the installation failed or partially failed.
3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language.
**DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN**
**DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)**
> [!NOTE]
> The deletion will ignore the policy of block cleanup of unused language packs.
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**

40
windows/client-management/mdm/bitlocker-csp.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 04/16/2020
ms.date: 02/04/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -21,7 +21,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to
>
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns
the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
@ -120,7 +120,7 @@ If you want to disable this policy, use the following SyncML:
```
> [!NOTE]
> Currently only used space encryption is supported when using this CSP.
> Currently full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
<!--/Policy-->
<!--Policy-->
@ -142,7 +142,7 @@ Allows you to set the default encryption method for each of the different drive
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP Friendly name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP name: <em>EncryptionMethodWithXts_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -216,7 +216,7 @@ Allows you to associate unique organizational identifiers to a new drive that is
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Provide the unique identifiers for your organization </em></li>
<li>GP Friendly name: <em>Provide the unique identifiers for your organization </em></li>
<li>GP name: <em>IdentificationField_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -276,7 +276,7 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN</em></li>
<li>GP Friendly name: <em>Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN</em></li>
<li>GP name: <em>EnablePreBootPinExceptionOnDECapableDevice_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -318,7 +318,7 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Allow enhanced PINs for startup</em></li>
<li>GP Friendly name: <em>Allow enhanced PINs for startup</em></li>
<li>GP name: <em>EnhancedPIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -363,7 +363,7 @@ Allows you to configure whether standard users are allowed to change BitLocker P
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Disallow standard users from changing the PIN or password</em></li>
<li>GP Friendly name: <em>Disallow standard users from changing the PIN or password</em></li>
<li>GP name: <em>DisallowStandardUsersCanChangePIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -408,7 +408,7 @@ Allows users to enable authentication options that require user input from the p
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enable use of BitLocker authentication requiring preboot keyboard input on slates</em></li>
<li>GP Friendly name: <em>Enable use of BitLocker authentication requiring preboot keyboard input on slates</em></li>
<li>GP name: <em>EnablePrebootInputProtectorsOnSlates_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -459,7 +459,7 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enforce drive encryption type on operating system drives</em></li>
<li>GP Friendly name: <em>Enforce drive encryption type on operating system drives</em></li>
<li>GP name: <em>OSEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -507,7 +507,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Require additional authentication at startup</em></li>
<li>GP Friendly name: <em>Require additional authentication at startup</em></li>
<li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -604,7 +604,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name:<em>Configure minimum PIN length for startup</em></li>
<li>GP Friendly name:<em>Configure minimum PIN length for startup</em></li>
<li>GP name: <em>MinimumPINLength_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -670,7 +670,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP Friendly name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP name: <em>PrebootRecoveryInfo_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -748,7 +748,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP Friendly name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP name: <em>OSRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -834,7 +834,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP Friendly name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP name: <em>FDVRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -929,7 +929,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP Friendly name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP name: <em>FDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -987,7 +987,7 @@ Allows you to configure the encryption type on fixed data drives that is used by
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enforce drive encryption type on fixed data drives</em></li>
<li>GP Friendly name: <em>Enforce drive encryption type on fixed data drives</em></li>
<li>GP name: <em>FDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1037,7 +1037,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP Friendly name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP name: <em>RDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removeable Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1106,7 +1106,7 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Enforce drive encryption type on removable data drives</em></li>
<li>GP Friendly name: <em>Enforce drive encryption type on removable data drives</em></li>
<li>GP name: <em>RDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
@ -1150,7 +1150,7 @@ Allows you to control the use of BitLocker on removable data drives.
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP English name: <em>Control use of BitLocker on removable drives</em></li>
<li>GP Friendly name: <em>Control use of BitLocker on removable drives</em></li>
<li>GP name: <em>RDVConfigureBDE_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>

94
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -1,94 +0,0 @@
---
title: BrowserFavorite CSP
description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 10/25/2021
---
# BrowserFavorite CSP
The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
> [!Note]
> BrowserFavorite CSP is only supported in Windows Phone 8.1.
The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
> [!Note]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
```console
BrowserFavorite
favorite name
----URL
```
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> [!Note]
> The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite.
<a href="" id="url"></a>**URL**
Optional. Specifies the complete URL for the favorite.
## OMA client provisioning examples
Adding a new browser favorite.
```xml
<?xml version="1.0" encoding="UTF-8" ?>
<wap-provisioningdoc>
<characteristic type="BrowserFavorite">
<characteristic type="Help and how-to">
<parm name="URL" value="http://www.microsoft.com/windowsphone/en-US/howto/wp7/default.aspx"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
|Elements|Available|
|--- |--- |
|Parm-query|Yes|
|Noparm|Yes|
|Nocharacteristic|Yes|
|Characteristic-query|Yes<br> <br>Recursive query: Yes<br> <br>Top-level query: Yes|
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

12
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -227,11 +227,11 @@ Optional. Specifies where to keep the private key.
The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 3 | (Default) Private key saved in software KSP. |
| Value | Description |
|---|---|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. |
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
Supported operations are Add, Get, Delete, and Replace.
@ -361,7 +361,7 @@ The date type format is Null, meaning this node doesnt contain a value.
The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
Optional. Specify the Azure AD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
Data type is string.

9
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -556,21 +556,22 @@ Supported operations are Get, Add, Delete, Replace.</Description>
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
SCEP enrolled cert doesnt support TPM PIN protection.
Supported values:
SCEP enrolled cert doesnt support TPM PIN protection. Supported values:
1 private key protected by TPM,
2 private key protected by phone TPM if the device supports TPM.
All Windows Phone 8.1 devices support TPM and will treat value 2 as 1
3 (default) private key saved in software KSP
4 private key protected by NGC. If this option is specified, container name should be specifed, if not enrollment will fail
4 private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail.
Format is int.
Supported operations are Get, Add, Delete, Replace
</Description>
<DFFormat>
<int />

16
windows/client-management/mdm/config-lock.md
View File

@ -48,31 +48,31 @@ The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Int
- **Profile type**: Templates
- **Template name**: Custom
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates":::
1. Name your profile.
1. When you reach the Configuration Settings step, select “Add” and add the following information:
- **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- **Data type**: Integer
- **Value**: 1 </br>
To turn off Config Lock. Change value to 0.
To turn off Config Lock, change the value to 0.
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1":::
1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
1. You'll not need to set any applicability rules for test purposes.
1. Review the Configuration and select “Create” if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
:::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
:::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending":::
## Disabling
## Configuring Secured-Core PC features
Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off":::
## FAQ

15
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -15,7 +15,7 @@ ms.collection: highpri
# Configuration service provider reference
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the device image as a `.provxml` file that is installed during boot.
For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download).
@ -150,18 +150,6 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[BrowserFavorite CSP](browserfavorite-csp.md)
<!--StartSKU-->
|Home|Pro|Business|Enterprise|Education|
|--- |--- |--- |--- |--- |
|No|No|No|No|No|
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[CMPolicy CSP](cmpolicy-csp.md)
@ -1147,6 +1135,7 @@ The following list shows the CSPs supported in HoloLens devices:
- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
- [Firewall-CSP](firewall-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
- [NodeCache CSP](nodecache-csp.md)
- [PassportForWork CSP](passportforwork-csp.md)

6
windows/client-management/mdm/defender-csp.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 10/04/2021
ms.date: 02/22/2022
---
# Defender CSP
@ -623,9 +623,9 @@ Valid values are:
<a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell.
> [!NOTE]
> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.

34
windows/client-management/mdm/dmprocessconfigxmlfiltered.md
View File

@ -25,7 +25,7 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
@ -45,7 +45,7 @@ Microsoft recommends that this function isn't used to configure the following ty
- Email settings
> [!Note]
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@ -54,37 +54,29 @@ Microsoft recommends that this function isn't used to configure the following ty
```C++
HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
LPCWSTR pszXmlIn,
const WCHAR   **rgszAllowedCspNode,
const DWORD   dwNumAllowedCspNodes,
BSTR    *pbstrXmlOut
const WCHAR **rgszAllowedCspNode,
const DWORD dwNumAllowedCspNodes,
BSTR *pbstrXmlOut
);
```
## Parameters
*pszXmlIn*
<ul>
<li>[in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. <strong>DMProcessConfigXMLFiltered</strong> accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).</li>
</ul>
<br>
- [in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
<ul>
<li>[in] Array of <strong>WCHAR\</strong>* that specify which configuration service provider nodes can be invoked.</li>
</ul>
<br>
- [in] Array of `WCHAR` that specify which configuration service provider nodes can be invoked.
*dwNumAllowedCspNodes*
<ul>
<li>[in] Number of elements passed in <em>rgszAllowedCspNode</em>.</li>
</ul>
<br>
- [in] Number of elements passed in <em>rgszAllowedCspNode</em>.
*pbstrXmlOut*
<ul>
<li>[out] The resulting nullterminated XML from configuration. The caller of <strong>DMProcessConfigXMLFiltered</strong> is responsible for cleanup of the output buffer that the <em>pbstrXmlOut</em> parameter references. Use <a href="/windows/win32/api/oleauto/nf-oleauto-sysfreestring" data-raw-source="[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)"><strong>SysFreeString</strong></a> to free the memory.</li>
</ul>
<br>
- [out] The resulting nullterminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the <em>pbstrXmlOut</em> parameter references. Use <a href="/windows/win32/api/oleauto/nf-oleauto-sysfreestring" data-raw-source="[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)">**SysFreeString**</a> to free the memory.
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.

2
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -36,7 +36,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md).
1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP English name
- GP Friendly name
- GP name
- GP ADMX file name
- GP path

7
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/03/2021
ms.date: 03/02/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -47,14 +47,15 @@ In Windows 10, version 1709 or later, when the same policy is configured in GP a
For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
## Verify auto-enrollment requirements and settings
To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
The following steps demonstrate required settings using the Intune service:
1. Verify that the user who is going to enroll the device has a valid Intune license.
1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses).
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)

34
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -16,9 +16,9 @@ ms.date: 07/28/2017
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
The &lt;AuthenticationServiceURL&gt; element the discovery response message specifies web authentication broker page start URL.
The `<AuthenticationServiceURL>` element the discovery response message specifies web authentication broker page start URL.
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## In this topic
@ -26,7 +26,7 @@ For details about the Microsoft mobile device enrollment protocol for Windows 1
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service
@ -35,7 +35,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request.
@ -146,7 +146,7 @@ A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse
The following are the explicit requirements for the server.
- The &lt;DiscoveryResponse&gt;&lt;AuthenticationServiceUrl&gt; element must support HTTPS.
- The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
@ -156,8 +156,8 @@ The enrollment client issues an HTTPS request as follows:
AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name>
```
- &lt;appid&gt; is of the form ms-app://string
- &lt;User Principal Name&gt; is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
- `<appid>` is of the form ms-app://string
- `<User Principal Name>` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
@ -191,7 +191,7 @@ Content-Length: 556
</html>
```
The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary" contained in the &lt;wsse:BinarySecurityToken&gt; EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string.
The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string.
The following example shows a response received from the discovery web service which requires authentication via WAB.
@ -235,18 +235,18 @@ Policy service is optional. By default, if no policies are specified, the minimu
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
For Federated authentication policy, the security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
For Federated authentication policy, the security token credential is provided in a request message using the `<wsse:BinarySecurityToken>` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
- wsse:Security: The enrollment client implements the &lt;wsse:Security&gt; element defined in \[WSS\] section 5. The &lt;wsse:Security&gt; element must be a child of the &lt;s:Header&gt; element.
- wsse:BinarySecurityToken: The enrollment client implements the &lt;wsse:BinarySecurityToken&gt; element defined in \[WSS\] section 6.3. The &lt;wsse:BinarySecurityToken&gt; element must be included as a child of the &lt;wsse:Security&gt; element in the SOAP header.
- wsse:Security: The enrollment client implements the `<wsse:Security>` element defined in \[WSS\] section 5. The `<wsse:Security>` element must be a child of the `<s:Header>` element.
- wsse:BinarySecurityToken: The enrollment client implements the `<wsse:BinarySecurityToken>` element defined in \[WSS\] section 6.3. The `<wsse:BinarySecurityToken>` element must be included as a child of the `<wsse:Security>` element in the SOAP header.
As was described in the discovery response section, the inclusion of the &lt;wsse:BinarySecurityToken&gt; element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the &lt;AuthenticationServiceUrl&gt; element of &lt;DiscoveryResponse&gt; and the enterprise server.
As was described in the discovery response section, the inclusion of the `<wsse:BinarySecurityToken>` element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `<AuthenticationServiceUrl>` element of `<DiscoveryResponse>` and the enterprise server.
The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element.
The `<wsse:BinarySecurityToken>` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `<wsse:BinarySecurityToken>` element.
- wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".
- wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`.
- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary".
- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary`.
The following is an enrollment policy request example with a received security token as client credential.
@ -478,7 +478,7 @@ After validating the request, the web service looks up the assigned certificate
> [!Note]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http:<span></span>//schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate.
The provisioning XML contains:
@ -616,7 +616,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
> [!NOTE]
>
> - &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
> - `<Parm name>` and `<characteristic type=>` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
>
> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
>

4
windows/client-management/mdm/nodecache-ddf-file.md
View File

@ -57,7 +57,7 @@ The XML below is the current version for this CSP.
<Add />
<Delete />
</AccessType>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.</Description>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.</Description>
<DFFormat>
<node />
</DFFormat>
@ -282,7 +282,7 @@ The XML below is the current version for this CSP.
<Add />
<Delete />
</AccessType>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.</Description>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.</Description>
<DFFormat>
<node />
</DFFormat>

88
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1131,8 +1131,96 @@ ms.date: 10/08/2020
- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name)
- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state)
- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state)
- [ADMX_TerminalServer/TS_AUTO_RECONNECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect)
- [ADMX_TerminalServer/TS_CAMERA_REDIRECTION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection)
- [ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality)
- [ADMX_TerminalServer/TS_CLIENT_CLIPBOARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard)
- [ADMX_TerminalServer/TS_CLIENT_COM](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com)
- [ADMX_TerminalServer/TS_CLIENT_DEFAULT_M](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m)
- [ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode)
- [ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1)
- [ADMX_TerminalServer/TS_CLIENT_LPT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt)
- [ADMX_TerminalServer/TS_CLIENT_PNP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp)
- [ADMX_TerminalServer/TS_CLIENT_PRINTER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer)
- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1)
- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2)
- [ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp)
- [ADMX_TerminalServer/TS_COLORDEPTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth)
- [ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles)
- [ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper)
- [ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu)
- [ADMX_TerminalServer/TS_EASY_PRINT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print)
- [ADMX_TerminalServer/TS_EASY_PRINT_User](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user)
- [ADMX_TerminalServer/TS_EnableVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics)
- [ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype)
- [ADMX_TerminalServer/TS_FORCIBLE_LOGOFF](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server)
- [ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory)
- [ADMX_TerminalServer/TS_KEEP_ALIVE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive)
- [ADMX_TerminalServer/TS_LICENSE_SECGROUP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup)
- [ADMX_TerminalServer/TS_LICENSE_SERVERS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers)
- [ADMX_TerminalServer/TS_LICENSE_TOOLTIP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip)
- [ADMX_TerminalServer/TS_LICENSING_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode)
- [ADMX_TerminalServer/TS_MAX_CON_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy)
- [ADMX_TerminalServer/TS_MAXDISPLAYRES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres)
- [ADMX_TerminalServer/TS_MAXMONITOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor)
- [ADMX_TerminalServer/TS_NoDisconnectMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu)
- [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu)
- [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade)
- [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp)
- [ADMX_TerminalServer/TS_RADC_DefaultConnection](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection)
- [ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration)
- [ADMX_TerminalServer/TS_RemoteControl_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1)
- [ADMX_TerminalServer/TS_RemoteControl_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2)
- [ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics)
- [ADMX_TerminalServer/TS_SD_ClustName](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname)
- [ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address)
- [ADMX_TerminalServer/TS_SD_Loc](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc)
- [ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy)
- [ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect)
- [ADMX_TerminalServer/TS_SELECT_TRANSPORT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport)
- [ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp)
- [ADMX_TerminalServer/TS_SERVER_AUTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth)
- [ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred)
- [ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred)
- [ADMX_TerminalServer/TS_SERVER_COMPRESSOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor)
- [ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality)
- [ADMX_TerminalServer/TS_SERVER_LEGACY_RFX](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx)
- [ADMX_TerminalServer/TS_SERVER_PROFILE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile)
- [ADMX_TerminalServer/TS_SERVER_VISEXP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp)
- [ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver)
- [ADMX_TerminalServer/TS_Session_End_On_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1)
- [ADMX_TerminalServer/TS_Session_End_On_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2)
- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1)
- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2)
- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1)
- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2)
- [ADMX_TerminalServer/TS_SESSIONS_Limits_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_1)
- [ADMX_TerminalServer/TS_SESSIONS_Limits_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_2)
- [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session)
- [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card)
- [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1)
- [ADMX_TerminalServer/TS_START_PROGRAM_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2)
- [ADMX_TerminalServer/TS_TEMP_DELETE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete)
- [ADMX_TerminalServer/TS_TEMP_PER_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session)
- [ADMX_TerminalServer/TS_TIME_ZONE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone)
- [ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy)
- [ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp)
- [ADMX_TerminalServer/TS_UIA](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia)
- [ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable)
- [ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy)
- [ADMX_TerminalServer/TS_USER_HOME](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home)
- [ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles)
- [ADMX_TerminalServer/TS_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles)
- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails)
- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders)
- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders)

5
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 10/11/2021
ms.date: 03/01/2022
---
# Policies in Policy CSP supported by HoloLens 2
@ -120,7 +120,6 @@ ms.date: 10/11/2021
- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) <sup>10</sup>
- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess)
- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) <sup>10</sup>
- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) <sup>8</sup>
@ -139,4 +138,4 @@ Footnotes:
## Related topics
[Policy CSP](policy-configuration-service-provider.md)
[Policy CSP](policy-configuration-service-provider.md)

7
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -64,7 +64,7 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership)
- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
@ -79,11 +79,12 @@ ms.date: 07/22/2020
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting)
- [WiFi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode)
- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting)
- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode)
- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#wifi-allowwifidirect)
- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsadvertisement)
- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery)

321
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4068,12 +4068,269 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
### ADMX_TerminalServer policies
<dl>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect" id="admx-terminalserver-ts_auto_reconnect">ADMX_TerminalServer/TS_AUTO_RECONNECT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection" id="admx-terminalserver-ts_camera_redirection">ADMX_TerminalServer/TS_CAMERA_REDIRECTION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy" id="admx-terminalserver-ts_certificate_template_policy">ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1" id="admx-terminalserver-ts_client_allow_signed_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2" id="admx-terminalserver-ts_client_allow_signed_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1" id="admx-terminalserver-ts_client_allow_unsigned_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2" id="admx-terminalserver-ts_client_allow_unsigned_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio" id="admx-terminalserver-ts_client_audio">ADMX_TerminalServer/TS_CLIENT_AUDIO</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture" id="admx-terminalserver-ts_client_audio_capture">ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality" id="admx-terminalserver-ts_client_audio_quality">ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard" id="admx-terminalserver-ts_client_clipboard">ADMX_TerminalServer/TS_CLIENT_CLIPBOARD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com" id="admx-terminalserver-ts_client_com">ADMX_TerminalServer/TS_CLIENT_COM</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m" id="admx-terminalserver-ts_client_default_m">ADMX_TerminalServer/TS_CLIENT_DEFAULT_M</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode" id="admx-terminalserver-ts_client_disable_hardware_mode">ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1" id="admx-terminalserver-ts_client_disable_password_saving_1">ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt" id="admx-terminalserver-ts_client_lpt">ADMX_TerminalServer/TS_CLIENT_LPT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp" id="admx-terminalserver-ts_client_pnp">ADMX_TerminalServer/TS_CLIENT_PNP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer" id="admx-terminalserver-ts_client_printer">ADMX_TerminalServer/TS_CLIENT_PRINTER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_1">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_2">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp" id="admx-terminalserver-ts_client_turn_off_udp">ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth" id="admx-terminalserver-ts_colordepth">ADMX_TerminalServer/TS_COLORDEPTH</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles" id="admx-terminalserver-ts_delete_roaming_user_profiles">ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper" id="admx-terminalserver-ts_disable_remote_desktop_wallpaper">ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu" id="admx-terminalserver-ts_dx_use_full_hwgpu">ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print" id="admx-terminalserver-ts_easy_print">ADMX_TerminalServer/TS_EASY_PRINT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user" id="admx-terminalserver-ts_easy_print_user">ADMX_TerminalServer/TS_EASY_PRINT_User</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics" id="admx-terminalserver-ts_enablevirtualgraphics">ADMX_TerminalServer/TS_EnableVirtualGraphics</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype" id="admx-terminalserver-ts_fallbackprintdrivertype">ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff" id="admx-terminalserver-ts_forcible_logoff">ADMX_TerminalServer/TS_FORCIBLE_LOGOFF</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable" id="admx-terminalserver-ts_gateway_policy_enable">ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method" id="admx-terminalserver-ts_gateway_policy_auth_method">ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server" id="admx-terminalserver-ts_gateway_policy_server">ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory" id="admx-terminalserver-ts_join_session_directory">ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive" id="admx-terminalserver-ts_keep_alive">ADMX_TerminalServer/TS_KEEP_ALIVE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup" id="admx-terminalserver-ts_license_secgroup">ADMX_TerminalServer/TS_LICENSE_SECGROUP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers" id="admx-terminalserver-ts_license_servers">ADMX_TerminalServer/TS_LICENSE_SERVERS</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip" id="admx-terminalserver-ts_license_tooltip">ADMX_TerminalServer/TS_LICENSE_TOOLTIP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode" id="admx-terminalserver-ts_licensing_mode">ADMX_TerminalServer/TS_LICENSING_MODE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy" id="admx-terminalserver-ts_max_con_policy">ADMX_TerminalServer/TS_MAX_CON_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres" id="admx-terminalserver-ts_maxdisplayres">ADMX_TerminalServer/TS_MAXDISPLAYRES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor" id="admx-terminalserver-ts_maxmonitor">ADMX_TerminalServer/TS_MAXMONITOR</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu" id="admx-terminalserver-ts_nodisconnectmenu">ADMX_TerminalServer/TS_NoDisconnectMenu</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu" id="admx-terminalserver-ts_nosecuritymenu">ADMX_TerminalServer/TS_NoSecurityMenu</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade" id="admx-terminalserver-ts_preventlicenseupgrade">ADMX_TerminalServer/TS_PreventLicenseUpgrade</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp" id="admx-terminalserver-ts_promt_creds_client_comp">ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection" id="admx-terminalserver-ts_radc_defaultconnection">ADMX_TerminalServer/TS_RADC_DefaultConnection</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration" id="admx-terminalserver-ts_rdsappx_waitforregistration">ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1" id="admx-terminalserver-ts_remotecontrol_1">ADMX_TerminalServer/TS_RemoteControl_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2" id="admx-terminalserver-ts_remotecontrol_2">ADMX_TerminalServer/TS_RemoteControl_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics" id="admx-terminalserver-ts_remotedesktopvirtualgraphics">ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname" id="admx-terminalserver-ts_sd_clustname">ADMX_TerminalServer/TS_SD_ClustName</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address" id="admx-terminalserver-ts_sd_expose_address">ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc" id="admx-terminalserver-ts_sd_loc">ADMX_TerminalServer/TS_SD_Loc</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy" id="admx-terminalserver-ts_security_layer_policy">ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect" id="admx-terminalserver-ts_select_network_detect">ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport" id="admx-terminalserver-ts_select_transport">ADMX_TerminalServer/TS_SELECT_TRANSPORT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp" id="admx-terminalserver-ts_server_advanced_remotefx_remoteapp">ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth" id="admx-terminalserver-ts_server_auth">ADMX_TerminalServer/TS_SERVER_AUTH</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred" id="admx-terminalserver-ts_server_avc_hw_encode_preferred">ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred" id="admx-terminalserver-ts_server_avc444_mode_preferred">ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor" id="admx-terminalserver-ts_server_compressor">ADMX_TerminalServer/TS_SERVER_COMPRESSOR</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality" id="admx-terminalserver-ts_server_image_quality">ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx" id="admx-terminalserver-ts_server_legacy_rfx">ADMX_TerminalServer/TS_SERVER_LEGACY_RFX</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile" id="admx-terminalserver-ts_server_profile">ADMX_TerminalServer/TS_SERVER_PROFILE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp" id="admx-terminalserver-ts_server_visexp">ADMX_TerminalServer/TS_SERVER_VISEXP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver" id="admx-terminalserver-ts_server_wddm_graphics_driver">ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1" id="admx-terminalserver-ts_session_end_on_limit_1">ADMX_TerminalServer/TS_Session_End_On_Limit_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2" id="admx-terminalserver-ts_session_end_on_limit_2">ADMX_TerminalServer/TS_Session_End_On_Limit_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1" id="admx-terminalserver-ts_sessions_disconnected_timeout_1">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2" id="admx-terminalserver-ts_sessions_disconnected_timeout_2">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2</a>
</dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1" id="admx-terminalserver-ts_sessions_idle_limit_1">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2" id="admx-terminalserver-ts_sessions_idle_limit_2">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session" id="admx-terminalserver-ts_single_session">ADMX_TerminalServer/TS_SINGLE_SESSION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card" id="admx-terminalserver-ts_smart_card">ADMX_TerminalServer/TS_SMART_CARD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1" id="admx-terminalserver-ts_start_program_1">ADMX_TerminalServer/TS_START_PROGRAM_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2" id="admx-terminalserver-ts_start_program_2">ADMX_TerminalServer/TS_START_PROGRAM_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete" id="admx-terminalserver-ts_temp_delete">ADMX_TerminalServer/TS_TEMP_DELETE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session" id="admx-terminalserver-ts_temp_per_session">ADMX_TerminalServer/TS_TEMP_PER_SESSION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone" id="admx-terminalserver-ts_time_zone">ADMX_TerminalServer/TS_TIME_ZONE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy" id="admx-terminalserver-ts_tscc_permissions_policy">ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp" id="admx-terminalserver-ts_turnoff_singleapp">ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia" id="admx-terminalserver-ts_uia">ADMX_TerminalServer/TS_UIA</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable" id="admx-terminalserver-ts_usb_redirection_disable">ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy" id="admx-terminalserver-ts_user_authentication_policy">ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home" id="admx-terminalserver-ts_user_home">ADMX_TerminalServer/TS_USER_HOME</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles" id="admx-terminalserver-ts_user_mandatory_profiles">ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles" id="admx-terminalserver-ts_user_profiles">ADMX_TerminalServer/TS_USER_PROFILES</a>
</dd>
<dl>
### ADMX_Thumbnails policies
@ -6181,6 +6438,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### EAP policies
<dl>
<dd>
<a href="./policy-csp-eap.md#eap-allowtls1_3" id="eap-allowtls1_3">EAP/AllowTLS1_3</a>
</dd>
</dl>
### Education policies
<dl>
@ -6371,6 +6636,20 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### HumanPresence policies
<dl>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forceinstantlock" id="humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forceinstantwake" id="humanpresence-forceinstantwake">HumanPresence/ForceInstantWake</a>
</dd>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forcelocktimeout" id="humanpresence-forcelocktimeout">HumanPresence/ForceLockTimeout</a>
</dd>
</dl>
### InternetExplorer policies
<dl>
@ -7380,6 +7659,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### MemoryDump policies
<dl>
<dd>
<a href="./policy-csp-memorydump.md#memorydump-allowcrashdump" id="memorydump-allowcrashdump">MemoryDump/AllowCrashDump</a>
</dd>
<dd>
<a href="./policy-csp-memorydump.md#memorydump-allowlivedump" id="memorydump-allowlivedump">MemoryDump/AllowLiveDump</a>
</dd>
</dl>
### Messaging policies
<dl>
@ -7497,6 +7787,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
</dl>
### NewsAndInterests policies
<dl>
<dd>
<a href="./policy-csp-newsandinterests.md#newsandinterests-allownewsandinterests" id="newsandinterests-allownewsandinterests">NewsAndInterests/AllowNewsAndInterests</a>
</dd>
</dl>
### Notifications policies
<dl>
@ -7900,6 +8198,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### RemoteDesktop policies
<dl>
<dd>
<a href="./policy-csp-remotedesktop.md#remotedesktop-autosubscription" id="remotedesktop-autosubscription">RemoteDesktop/AutoSubscription</a>
</dd>
<dd>
<a href="./policy-csp-remotedesktop.md#remotedesktop-loadaadcredkeyfromprofile" id="remotedesktop-loadaadcredkeyfromprofile">RemoteDesktop/LoadAadCredKeyFromProfile</a>
</dd>
</dl>
### RemoteDesktopServices policies
<dl>
@ -8294,6 +8603,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-storage.md#storage-removablediskdenywriteaccess" id="storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperdevice" id="storage-wpddevicesdenyreadaccessperdevice">Storage/WPDDevicesDenyReadAccessPerDevice</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperuser" id="storage-wpddevicesdenyreadaccessperuser">Storage/WPDDevicesDenyReadAccessPerUser</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperdevice" id="storage-wpddevicesdenywriteaccessperdevice">Storage/WPDDevicesDenyWriteAccessPerDevice</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperuser" id="storage-wpddevicesdenywriteaccessperuser">Storage/WPDDevicesDenyWriteAccessPerUser</a>
</dd>
</dl>
### System policies

4
windows/client-management/mdm/policy-csp-admx-errorreporting.md
View File

@ -1068,7 +1068,7 @@ If this policy setting is disabled or not configured, then the consent level def
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Default consent*
- GP Friendly name: *Configure Default consent*
- GP name: *WerDefaultConsent_1*
- GP path: *Windows Components\Windows Error Reporting\Consent*
- GP ADMX file name: *ErrorReporting.admx*
@ -1166,7 +1166,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disable Windows Error Reporting*
- GP Friendly name: *Disable Windows Error Reporting*
- GP name: *WerDisable_1*
- GP path: *Windows Components\Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*

52
windows/client-management/mdm/policy-csp-admx-icm.md
View File

@ -148,7 +148,7 @@ If you do not configure this policy setting, the administrator can use the Probl
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Windows Customer Experience Improvement Program*
- GP Friendly name: *Turn off Windows Customer Experience Improvement Program*
- GP name: *CEIPEnable*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -196,7 +196,7 @@ If you disable or do not configure this policy setting, your computer will conta
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Automatic Root Certificates Update*
- GP Friendly name: *Turn off Automatic Root Certificates Update*
- GP name: *CertMgr_DisableAutoRootUpdates*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -247,7 +247,7 @@ If you disable or do not configure this policy setting, users can choose to prin
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP Friendly name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -300,7 +300,7 @@ If you disable or do not configure this policy setting, users can download print
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP Friendly name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -353,7 +353,7 @@ Also see "Turn off Windows Update device driver search prompt" in "Administrativ
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Windows Update device driver searching*
- GP Friendly name: *Turn off Windows Update device driver searching*
- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -403,7 +403,7 @@ Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Comman
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Event Viewer "Events.asp" links*
- GP Friendly name: *Turn off Event Viewer "Events.asp" links*
- GP name: *EventViewer_DisableLinks*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -453,7 +453,7 @@ You might want to enable this policy setting for users who do not have Internet
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Help and Support Center "Did you know?" content*
- GP Friendly name: *Turn off Help and Support Center "Did you know?" content*
- GP name: *HSS_HeadlinesPolicy*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -501,7 +501,7 @@ If you disable or do not configure this policy setting, the Knowledge Base is se
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Help and Support Center Microsoft Knowledge Base search*
- GP Friendly name: *Turn off Help and Support Center Microsoft Knowledge Base search*
- GP name: *HSS_KBSearchPolicy*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -549,7 +549,7 @@ If you do not configure this policy setting, all of the the policy settings in t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict Internet communication*
- GP Friendly name: *Restrict Internet communication*
- GP name: *InternetManagement_RestrictCommunication_1*
- GP path: *System\Internet Communication Management*
- GP ADMX file name: *ICM.admx*
@ -596,7 +596,7 @@ If you do not configure this policy setting, all of the the policy settings in t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict Internet communication*
- GP Friendly name: *Restrict Internet communication*
- GP name: *InternetManagement_RestrictCommunication_2*
- GP path: *System\Internet Communication Management*
- GP ADMX file name: *ICM.admx*
@ -642,7 +642,7 @@ If you disable or do not configure this policy setting, users can connect to Mic
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com*
- GP Friendly name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com*
- GP name: *NC_ExitOnISP*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -690,7 +690,7 @@ Note that registration is optional and involves submitting some personal informa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Registration if URL connection is referring to Microsoft.com*
- GP Friendly name: *Turn off Registration if URL connection is referring to Microsoft.com*
- GP name: *NC_NoRegistration*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -742,7 +742,7 @@ Also see the "Configure Error Reporting", "Display Error Notification" and "Disa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Windows Error Reporting*
- GP Friendly name: *Turn off Windows Error Reporting*
- GP name: *PCH_DoNotReport*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -791,7 +791,7 @@ If you disable or do not configure this policy setting, users can access the Win
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off access to all Windows Update features*
- GP Friendly name: *Turn off access to all Windows Update features*
- GP name: *RemoveWindowsUpdate_ICM*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -842,7 +842,7 @@ If you disable or do not configure this policy setting, Search Companion downloa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Search Companion content file updates*
- GP Friendly name: *Turn off Search Companion content file updates*
- GP name: *SearchCompanion_DisableFileUpdates*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -890,7 +890,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet File Association service*
- GP Friendly name: *Turn off Internet File Association service*
- GP name: *ShellNoUseInternetOpenWith_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -938,7 +938,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet File Association service*
- GP Friendly name: *Turn off Internet File Association service*
- GP name: *ShellNoUseInternetOpenWith_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -986,7 +986,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off access to the Store*
- GP Friendly name: *Turn off access to the Store*
- GP name: *ShellNoUseStoreOpenWith_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1034,7 +1034,7 @@ If you disable or do not configure this policy setting, the user is allowed to u
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off access to the Store*
- GP Friendly name: *Turn off access to the Store*
- GP name: *ShellNoUseStoreOpenWith_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1082,7 +1082,7 @@ See the documentation for the web publishing and online ordering wizards for mor
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1128,7 +1128,7 @@ If you disable or do not configure this policy setting, the task is displayed.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Order Prints" picture task*
- GP Friendly name: *Turn off the "Order Prints" picture task*
- GP name: *ShellRemoveOrderPrints_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1176,7 +1176,7 @@ If you disable or do not configure this policy setting, the task is displayed.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Order Prints" picture task*
- GP Friendly name: *Turn off the "Order Prints" picture task*
- GP name: *ShellRemoveOrderPrints_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1222,7 +1222,7 @@ If you enable this policy setting, these tasks are removed from the File and Fol
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Publish to Web" task for files and folders*
- GP Friendly name: *Turn off the "Publish to Web" task for files and folders*
- GP name: *ShellRemovePublishToWeb_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1270,7 +1270,7 @@ If you disable or do not configure this policy setting, the tasks are shown.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the "Publish to Web" task for files and folders*
- GP Friendly name: *Turn off the "Publish to Web" task for files and folders*
- GP name: *ShellRemovePublishToWeb_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1320,7 +1320,7 @@ If you disable this policy setting, Windows Messenger collects anonymous usage i
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP name: *WinMSG_NoInstrumentation_1*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*
@ -1372,7 +1372,7 @@ If you do not configure this policy setting, users have the choice to opt in and
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program*
- GP name: *WinMSG_NoInstrumentation_2*
- GP path: *System\Internet Communication Management\Internet Communication settings*
- GP ADMX file name: *ICM.admx*

6
windows/client-management/mdm/policy-csp-admx-iscsi.md
View File

@ -76,7 +76,7 @@ If disabled then new iSNS servers may be added and thus new targets discovered v
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow manual configuration of iSNS servers*
- GP Friendly name: *Do not allow manual configuration of iSNS servers*
- GP name: *iSCSIGeneral_RestrictAdditionalLogins*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
@ -119,7 +119,7 @@ If disabled then new target portals may be added and thus new targets discovered
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow manual configuration of target portals*
- GP Friendly name: *Do not allow manual configuration of target portals*
- GP name: *iSCSIGeneral_ChangeIQNName*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
@ -163,7 +163,7 @@ If disabled then the initiator CHAP secret may be changed.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow changes to initiator CHAP secret*
- GP Friendly name: *Do not allow changes to initiator CHAP secret*
- GP name: *iSCSISecurity_ChangeCHAPSecret*
- GP path: *System\iSCSI\iSCSI Security*
- GP ADMX file name: *iSCSI.admx*

12
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -113,7 +113,7 @@ Impact on domain controller performance when this policy setting is enabled:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *KDC support for claims, compound authentication and Kerberos armoring*
- GP Friendly name: *KDC support for claims, compound authentication and Kerberos armoring*
- GP name: *CbacAndArmor*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -161,7 +161,7 @@ To ensure consistent behavior, this policy setting must be supported and set ide
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use forest search order*
- GP Friendly name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -213,7 +213,7 @@ If you disable or not configure this policy setting, then the DC will never offe
<!--ADMXBacked-->
ADMX Info:
- GP English name: *KDC support for PKInit Freshness Extension*
- GP Friendly name: *KDC support for PKInit Freshness Extension*
- GP name: *PKINITFreshness*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -262,7 +262,7 @@ If you disable or do not configure this policy setting, domain controllers will
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Request compound authentication*
- GP Friendly name: *Request compound authentication*
- GP name: *RequestCompoundId*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -308,7 +308,7 @@ If you disable or do not configure this policy setting, the threshold value defa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Warning for large Kerberos tickets*
- GP Friendly name: *Warning for large Kerberos tickets*
- GP name: *TicketSizeThreshold*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*
@ -359,7 +359,7 @@ If you disable or do not configure this policy setting, the domain controller do
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Provide information about previous logons to client computers*
- GP Friendly name: *Provide information about previous logons to client computers*
- GP name: *emitlili*
- GP path: *System/KDC*
- GP ADMX file name: *kdc.admx*

16
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -95,7 +95,7 @@ If you disable or do not configure this policy setting and the resource domain r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always send compound authentication first*
- GP Friendly name: *Always send compound authentication first*
- GP name: *AlwaysSendCompoundId*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -148,7 +148,7 @@ If you do not configure this policy setting, Automatic will be used.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Support device authentication using certificate*
- GP Friendly name: *Support device authentication using certificate*
- GP name: *DevicePKInitEnabled*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -196,7 +196,7 @@ If you do not configure this policy setting, the system uses the host name-to-Ke
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define host name-to-Kerberos realm mappings*
- GP Friendly name: *Define host name-to-Kerberos realm mappings*
- GP name: *HostToRealm*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -243,7 +243,7 @@ If you disable or do not configure this policy setting, the Kerberos client enfo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers*
- GP Friendly name: *Disable revocation checking for the SSL certificate of KDC proxy servers*
- GP name: *KdcProxyDisableServerRevocationCheck*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -289,7 +289,7 @@ If you disable or do not configure this policy setting, the Kerberos client does
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify KDC proxy servers for Kerberos clients*
- GP Friendly name: *Specify KDC proxy servers for Kerberos clients*
- GP name: *KdcProxyServer*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -337,7 +337,7 @@ If you do not configure this policy setting, the system uses the interoperable K
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define interoperable Kerberos V5 realm settings*
- GP Friendly name: *Define interoperable Kerberos V5 realm settings*
- GP name: *MitRealms*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -391,7 +391,7 @@ If you do not configure this policy setting, Automatic will be used.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Support compound authentication*
- GP Friendly name: *Support compound authentication*
- GP name: *ServerAcceptsCompound*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*
@ -437,7 +437,7 @@ If you disable or do not configure this policy setting, any service is allowed t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require strict target SPN match on remote procedure calls*
- GP Friendly name: *Require strict target SPN match on remote procedure calls*
- GP name: *StrictTarget*
- GP path: *System\Kerberos*
- GP ADMX file name: *Kerberos.admx*

8
windows/client-management/mdm/policy-csp-admx-lanmanserver.md
View File

@ -96,7 +96,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Cipher suite order*
- GP Friendly name: *Cipher suite order*
- GP name: *Pol_CipherSuiteOrder*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -156,7 +156,7 @@ In circumstances where this policy setting is enabled, you can also select the f
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Hash Publication for BranchCache*
- GP Friendly name: *Hash Publication for BranchCache*
- GP name: *Pol_HashPublication*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -220,7 +220,7 @@ Hash version supported:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Hash Version support for BranchCache*
- GP Friendly name: *Hash Version support for BranchCache*
- GP name: *Pol_HashSupportVersion*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*
@ -269,7 +269,7 @@ If you disable or do not configure this policy setting, the SMB server will sele
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Honor cipher suite order*
- GP Friendly name: *Honor cipher suite order*
- GP name: *Pol_HonorCipherSuiteOrder*
- GP path: *Network/Lanman Server*
- GP ADMX file name: *LanmanServer.admx*

6
windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
View File

@ -98,7 +98,7 @@ Arrange the desired cipher suites in the edit box, one cipher suite per line, in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Cipher suite order*
- GP Friendly name: *Cipher suite order*
- GP name: *Pol_CipherSuiteOrder*
- GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx*
@ -147,7 +147,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Handle Caching on Continuous Availability Shares*
- GP Friendly name: *Handle Caching on Continuous Availability Shares*
- GP name: *Pol_EnableHandleCachingForCAFiles*
- GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx*
@ -196,7 +196,7 @@ If you disable or do not configure this policy setting, Windows will prevent use
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Offline Files Availability on Continuous Availability Shares*
- GP Friendly name: *Offline Files Availability on Continuous Availability Shares*
- GP name: *Pol_EnableOfflineFilesforCAShares*
- GP path: *Network\Lanman Workstation*
- GP ADMX file name: *LanmanWorkstation.admx*

2
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
View File

@ -80,7 +80,7 @@ The DPS can be configured with the Services snap-in to the Microsoft Management
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure custom alert text*
- GP Friendly name: *Configure custom alert text*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
- GP ADMX file name: *LeakDiagnostic.admx*

4
windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
View File

@ -76,7 +76,7 @@ If you disable or do not configure this policy setting, the default behavior of
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Mapper I/O (LLTDIO) driver*
- GP Friendly name: *Turn on Mapper I/O (LLTDIO) driver*
- GP name: *LLTD_EnableLLTDIO*
- GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*
@ -124,7 +124,7 @@ If you disable or do not configure this policy setting, the default behavior for
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on Responder (RSPNDR) driver*
- GP Friendly name: *Turn on Responder (RSPNDR) driver*
- GP name: *LLTD_EnableRspndr*
- GP path: *Network/Link-Layer Topology Discovery*
- GP ADMX file name: *LinkLayerTopologyDiscovery.admx*

30
windows/client-management/mdm/policy-csp-admx-logon.md
View File

@ -113,7 +113,7 @@ If you disable or do not configure this policy setting, the user may choose to s
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Block user from showing account details on sign-in*
- GP Friendly name: *Block user from showing account details on sign-in*
- GP name: *BlockUserFromShowingAccountDetailsOnSignin*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -159,7 +159,7 @@ If you disable or do not configure this policy, the logon background image adopt
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Show clear logon background*
- GP Friendly name: *Show clear logon background*
- GP name: *DisableAcrylicBackgroundOnLogon*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -208,7 +208,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the legacy run list*
- GP Friendly name: *Do not process the legacy run list*
- GP name: *DisableExplorerRunLegacy_1*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -257,7 +257,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the legacy run list*
- GP Friendly name: *Do not process the legacy run list*
- GP name: *DisableExplorerRunLegacy_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -310,7 +310,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the run once list*
- GP Friendly name: *Do not process the run once list*
- GP name: *DisableExplorerRunOnceLegacy_1*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -363,7 +363,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not process the run once list*
- GP Friendly name: *Do not process the run once list*
- GP name: *DisableExplorerRunOnceLegacy_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -409,7 +409,7 @@ If you disable or do not configure this policy setting, the system displays the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove Boot / Shutdown / Logon / Logoff status messages*
- GP Friendly name: *Remove Boot / Shutdown / Logon / Logoff status messages*
- GP name: *DisableStatusMessages*
- GP path: *System*
- GP ADMX file name: *Logon.admx*
@ -455,7 +455,7 @@ If you disable or do not configure this policy setting, connected users will be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not enumerate connected users on domain-joined computers*
- GP Friendly name: *Do not enumerate connected users on domain-joined computers*
- GP name: *DontEnumerateConnectedUsers*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -511,7 +511,7 @@ This setting applies only to Windows. It does not affect the "Configure Your Ser
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not display the Getting Started welcome screen at logon*
- GP Friendly name: *Do not display the Getting Started welcome screen at logon*
- GP name: *NoWelcomeTips_1*
- GP path: *System*
- GP ADMX file name: *Logon.admx*
@ -566,7 +566,7 @@ If you disable or do not configure this policy, the welcome screen is displayed
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not display the Getting Started welcome screen at logon*
- GP Friendly name: *Do not display the Getting Started welcome screen at logon*
- GP name: *NoWelcomeTips_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -619,7 +619,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run these programs at user logon*
- GP Friendly name: *Run these programs at user logon*
- GP name: *Run_1*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -673,7 +673,7 @@ Also, see the "Do not process the legacy run list" and the "Do not process the r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run these programs at user logon*
- GP Friendly name: *Run these programs at user logon*
- GP name: *Run_2*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -737,7 +737,7 @@ If you disable or do not configure this policy setting and users log on to a cli
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always wait for the network at computer startup and logon*
- GP Friendly name: *Always wait for the network at computer startup and logon*
- GP name: *SyncForegroundPolicy*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -783,7 +783,7 @@ If you disable or do not configure this policy setting, Windows uses the default
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always use custom logon background*
- GP Friendly name: *Always use custom logon background*
- GP name: *UseOEMBackground*
- GP path: *System\Logon*
- GP ADMX file name: *Logon.admx*
@ -834,7 +834,7 @@ If you disable or do not configure this policy setting, only the default status
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display highly detailed status messages*
- GP Friendly name: *Display highly detailed status messages*
- GP name: *VerboseStatus*
- GP path: *System*
- GP ADMX file name: *Logon.admx*

190
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/02/2020
ms.date: 01/03/2022
ms.reviewer:
manager: dansimp
---
@ -347,7 +347,7 @@ If you disable this setting, the antimalware service will load as a low priority
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow antimalware service to startup with normal priority*
- GP Friendly name: *Allow antimalware service to startup with normal priority*
- GP name: *AllowFastServiceStartup*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -397,7 +397,7 @@ Enabling or disabling this policy may lead to unexpected or unsupported behavior
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Microsoft Defender Antivirus*
- GP Friendly name: *Turn off Microsoft Defender Antivirus*
- GP name: *DisableAntiSpywareDefender*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -448,7 +448,7 @@ Same as Disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Auto Exclusions*
- GP Friendly name: *Turn off Auto Exclusions*
- GP name: *DisableAutoExclusions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -500,7 +500,7 @@ This feature requires these Policy settings to be set as follows:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure the 'Block at First Sight' feature*
- GP Friendly name: *Configure the 'Block at First Sight' feature*
- GP name: *DisableBlockAtFirstSeen*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx*
@ -546,7 +546,7 @@ If you disable this setting, only items defined by Policy will be used in the re
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local administrator merge behavior for lists*
- GP Friendly name: *Configure local administrator merge behavior for lists*
- GP name: *DisableLocalAdminMerge*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -594,7 +594,7 @@ If you disable or do not configure this policy setting, Microsoft Defender Antiv
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off real-time protection*
- GP Friendly name: *Turn off real-time protection*
- GP name: *DisableRealtimeMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -640,7 +640,7 @@ If you disable or do not configure this policy setting, Microsoft Defender Antiv
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off routine remediation*
- GP Friendly name: *Turn off routine remediation*
- GP name: *DisableRoutinelyTakingAction*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -682,7 +682,7 @@ This policy setting allows you specify a list of file types that should be exclu
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Extension Exclusions*
- GP Friendly name: *Extension Exclusions*
- GP name: *Exclusions_Extensions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -726,7 +726,7 @@ As an example, a path might be defined as: "c:\Windows" to exclude all files in
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Path Exclusions*
- GP Friendly name: *Path Exclusions*
- GP name: *Exclusions_Paths*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -768,7 +768,7 @@ This policy setting allows you to disable scheduled and real-time scanning for a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Process Exclusions*
- GP Friendly name: *Process Exclusions*
- GP name: *Exclusions_Processes*
- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
- GP ADMX file name: *WindowsDefender.admx*
@ -825,7 +825,7 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Exclude files and paths from Attack Surface Reduction Rules*
- GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules*
- GP name: *ExploitGuard_ASR_ASROnlyExclusions*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
- GP ADMX file name: *WindowsDefender.admx*
@ -898,7 +898,7 @@ You can exclude folders or files in the "Exclude files and paths from Attack Sur
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Attack Surface Reduction rules*
- GP Friendly name: *Configure Attack Surface Reduction rules*
- GP name: *ExploitGuard_ASR_Rules*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
- GP ADMX file name: *WindowsDefender.admx*
@ -957,7 +957,7 @@ Default system folders are automatically guarded, but you can add folders in the
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure allowed applications*
- GP Friendly name: *Configure allowed applications*
- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
- GP ADMX file name: *WindowsDefender.admx*
@ -1017,7 +1017,7 @@ Microsoft Defender Antivirus automatically determines which applications can be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure protected folders*
- GP Friendly name: *Configure protected folders*
- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
- GP ADMX file name: *WindowsDefender.admx*
@ -1068,7 +1068,7 @@ Same as Disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable file hash computation feature*
- GP Friendly name: *Enable file hash computation feature*
- GP name: *MpEngine_EnableFileHashComputation*
- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine*
- GP ADMX file name: *WindowsDefender.admx*
@ -1114,7 +1114,7 @@ If you disable this setting, definition retirement will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on definition retirement*
- GP Friendly name: *Turn on definition retirement*
- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx*
@ -1156,7 +1156,7 @@ This policy setting defines additional definition sets to enable for network tra
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify additional definition sets for network traffic inspection*
- GP Friendly name: *Specify additional definition sets for network traffic inspection*
- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx*
@ -1202,7 +1202,7 @@ If you disable this setting, protocol recognition will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on protocol recognition*
- GP Friendly name: *Turn on protocol recognition*
- GP name: *Nis_DisableProtocolRecognition*
- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
- GP ADMX file name: *WindowsDefender.admx*
@ -1248,7 +1248,7 @@ If you disable or do not configure this setting, the proxy server will not be by
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define addresses to bypass proxy server*
- GP Friendly name: *Define addresses to bypass proxy server*
- GP name: *ProxyBypass*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1300,7 +1300,7 @@ If you disable or do not configure this setting, the proxy will skip over this f
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define proxy auto-config (.pac) for connecting to the network*
- GP Friendly name: *Define proxy auto-config (.pac) for connecting to the network*
- GP name: *ProxyPacUrl*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1352,7 +1352,7 @@ If you disable or do not configure this setting, the proxy will skip over this f
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define proxy server for connecting to the network*
- GP Friendly name: *Define proxy server for connecting to the network*
- GP name: *ProxyServer*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1398,7 +1398,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for the removal of items from Quarantine folder*
- GP Friendly name: *Configure local setting override for the removal of items from Quarantine folder*
- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
- GP ADMX file name: *WindowsDefender.admx*
@ -1444,7 +1444,7 @@ If you disable or do not configure this setting, items will be kept in the quara
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure removal of items from Quarantine folder*
- GP Friendly name: *Configure removal of items from Quarantine folder*
- GP name: *Quarantine_PurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
- GP ADMX file name: *WindowsDefender.admx*
@ -1490,7 +1490,7 @@ If you disable this setting, scheduled tasks will begin at the specified start t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Randomize scheduled task times*
- GP Friendly name: *Randomize scheduled task times*
- GP name: *RandomizeScheduleTaskTimes*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -1536,7 +1536,7 @@ If you disable this setting, behavior monitoring will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on behavior monitoring*
- GP Friendly name: *Turn on behavior monitoring*
- GP name: *RealtimeProtection_DisableBehaviorMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1582,7 +1582,7 @@ If you disable this setting, scanning for all downloaded files and attachments w
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan all downloaded files and attachments*
- GP Friendly name: *Scan all downloaded files and attachments*
- GP name: *RealtimeProtection_DisableIOAVProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1628,7 +1628,7 @@ If you disable this setting, monitoring for file and program activity will be di
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Monitor file and program activity on your computer*
- GP Friendly name: *Monitor file and program activity on your computer*
- GP name: *RealtimeProtection_DisableOnAccessProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1674,7 +1674,7 @@ If you disable this setting, raw write notifications be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on raw volume write notifications*
- GP Friendly name: *Turn on raw volume write notifications*
- GP name: *RealtimeProtection_DisableRawWriteNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1720,7 +1720,7 @@ If you disable this setting, a process scan will not be initiated when real-time
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on process scanning whenever real-time protection is enabled*
- GP Friendly name: *Turn on process scanning whenever real-time protection is enabled*
- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1766,7 +1766,7 @@ If you disable or do not configure this setting, a default size will be applied.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the maximum size of downloaded files and attachments to be scanned*
- GP Friendly name: *Define the maximum size of downloaded files and attachments to be scanned*
- GP name: *RealtimeProtection_IOAVMaxSize*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1812,7 +1812,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for turn on behavior monitoring*
- GP Friendly name: *Configure local setting override for turn on behavior monitoring*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1858,7 +1858,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for scanning all downloaded files and attachments*
- GP Friendly name: *Configure local setting override for scanning all downloaded files and attachments*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1904,7 +1904,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for monitoring file and program activity on your computer*
- GP Friendly name: *Configure local setting override for monitoring file and program activity on your computer*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1950,7 +1950,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override to turn on real-time protection*
- GP Friendly name: *Configure local setting override to turn on real-time protection*
- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -1996,7 +1996,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for monitoring for incoming and outgoing file activity*
- GP Friendly name: *Configure local setting override for monitoring for incoming and outgoing file activity*
- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection*
- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
- GP ADMX file name: *WindowsDefender.admx*
@ -2042,7 +2042,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation*
- GP Friendly name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation*
- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx*
@ -2100,7 +2100,7 @@ If you disable or do not configure this setting, a scheduled full scan to comple
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the day of the week to run a scheduled full scan to complete remediation*
- GP Friendly name: *Specify the day of the week to run a scheduled full scan to complete remediation*
- GP name: *Remediation_Scan_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx*
@ -2146,7 +2146,7 @@ If you disable or do not configure this setting, a scheduled full scan to comple
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the time of day to run a scheduled full scan to complete remediation*
- GP Friendly name: *Specify the time of day to run a scheduled full scan to complete remediation*
- GP name: *Remediation_Scan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
- GP ADMX file name: *WindowsDefender.admx*
@ -2188,7 +2188,7 @@ This policy setting configures the time in minutes before a detection in the "ad
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections requiring additional action*
- GP Friendly name: *Configure time out for detections requiring additional action*
- GP name: *Reporting_AdditionalActionTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2230,7 +2230,7 @@ This policy setting configures the time in minutes before a detection in the “
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections in critically failed state*
- GP Friendly name: *Configure time out for detections in critically failed state*
- GP name: *Reporting_CriticalFailureTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2276,7 +2276,7 @@ If you enable this setting, Microsoft Defender Antivirus enhanced notifications
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off enhanced notifications*
- GP Friendly name: *Turn off enhanced notifications*
- GP name: *Reporting_DisableEnhancedNotifications*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2321,7 +2321,7 @@ If you disable this setting, Watson events will not be sent.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Watson events*
- GP Friendly name: *Configure Watson events*
- GP name: *Reporting_Disablegenericreports*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2363,7 +2363,7 @@ This policy setting configures the time in minutes before a detection in the "no
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections in non-critical failed state*
- GP Friendly name: *Configure time out for detections in non-critical failed state*
- GP name: *Reporting_NonCriticalTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2403,7 +2403,7 @@ This policy setting configures the time in minutes before a detection in the "co
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure time out for detections in recently remediated state*
- GP Friendly name: *Configure time out for detections in recently remediated state*
- GP name: *Reporting_RecentlyCleanedTimeout*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2445,7 +2445,7 @@ This policy configures Windows software trace preprocessor (WPP Software Tracing
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure Windows software trace preprocessor components*
- GP Friendly name: *Configure Windows software trace preprocessor components*
- GP name: *Reporting_WppTracingComponents*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2494,7 +2494,7 @@ Tracing levels are defined as:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure WPP tracing level*
- GP Friendly name: *Configure WPP tracing level*
- GP name: *Reporting_WppTracingLevel*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@ -2540,7 +2540,7 @@ If you disable this setting, users will not be able to pause scans.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow users to pause scan*
- GP Friendly name: *Allow users to pause scan*
- GP name: *Scan_AllowPause*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2586,7 +2586,7 @@ If you disable or do not configure this setting, archive files will be scanned t
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the maximum depth to scan archive files*
- GP Friendly name: *Specify the maximum depth to scan archive files*
- GP name: *Scan_ArchiveMaxDepth*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2632,7 +2632,7 @@ If you disable or do not configure this setting, archive files will be scanned a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the maximum size of archive files to be scanned*
- GP Friendly name: *Specify the maximum size of archive files to be scanned*
- GP name: *Scan_ArchiveMaxSize*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2679,7 +2679,7 @@ If you disable this setting, archive files will not be scanned.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan archive files*
- GP Friendly name: *Scan archive files*
- GP name: *Scan_DisableArchiveScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2725,7 +2725,7 @@ If you disable or do not configure this setting, e-mail scanning will be disable
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on e-mail scanning*
- GP Friendly name: *Turn on e-mail scanning*
- GP name: *Scan_DisableEmailScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2771,7 +2771,7 @@ If you disable this setting, heuristics will be disabled.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on heuristics*
- GP Friendly name: *Turn on heuristics*
- GP name: *Scan_DisableHeuristics*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2817,7 +2817,7 @@ If you disable this setting, packed executables will not be scanned.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan packed executables*
- GP Friendly name: *Scan packed executables*
- GP name: *Scan_DisablePackedExeScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2863,7 +2863,7 @@ If you disable or do not configure this setting, removable drives will not be sc
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan removable drives*
- GP Friendly name: *Scan removable drives*
- GP name: *Scan_DisableRemovableDriveScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2909,7 +2909,7 @@ If you disable or do not configure this setting, reparse point scanning will be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on reparse point scanning*
- GP Friendly name: *Turn on reparse point scanning*
- GP name: *Scan_DisableReparsePointScanning*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -2955,7 +2955,7 @@ If you disable or do not configure this setting, a system restore point will not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Create a system restore point*
- GP Friendly name: *Create a system restore point*
- GP name: *Scan_DisableRestorePoint*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3000,7 +3000,7 @@ If you disable or do not configure this setting, mapped network drives will not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Run full scan on mapped network drives*
- GP Friendly name: *Run full scan on mapped network drives*
- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3046,7 +3046,7 @@ If you disable or do not configure this setting, network files will not be scann
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Scan network files*
- GP Friendly name: *Scan network files*
- GP name: *Scan_DisableScanningNetworkFiles*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3092,7 +3092,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for maximum percentage of CPU utilization*
- GP Friendly name: *Configure local setting override for maximum percentage of CPU utilization*
- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3138,7 +3138,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for the scan type to use for a scheduled scan*
- GP Friendly name: *Configure local setting override for the scan type to use for a scheduled scan*
- GP name: *Scan_LocalSettingOverrideScanParameters*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3184,7 +3184,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for schedule scan day*
- GP Friendly name: *Configure local setting override for schedule scan day*
- GP name: *Scan_LocalSettingOverrideScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3230,7 +3230,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for scheduled quick scan time*
- GP Friendly name: *Configure local setting override for scheduled quick scan time*
- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3276,7 +3276,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for scheduled scan time*
- GP Friendly name: *Configure local setting override for scheduled scan time*
- GP name: *Scan_LocalSettingOverrideScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3322,7 +3322,7 @@ If you disable or do not configure this setting, not changes will be made to CPU
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure low CPU priority for scheduled scans*
- GP Friendly name: *Configure low CPU priority for scheduled scans*
- GP name: *Scan_LowCpuPriority*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3368,7 +3368,7 @@ If you disable or do not configure this setting, a catch-up scan will occur afte
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days after which a catch-up scan is forced*
- GP Friendly name: *Define the number of days after which a catch-up scan is forced*
- GP name: *Scan_MissedScheduledScanCountBeforeCatchup*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3414,7 +3414,7 @@ If you disable or do not configure this setting, items will be kept in the scan
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on removal of items from scan history folder*
- GP Friendly name: *Turn on removal of items from scan history folder*
- GP name: *Scan_PurgeItemsAfterDelay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3460,7 +3460,7 @@ If you disable or do not configure this setting, a quick scan will run at a defa
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the interval to run quick scans per day*
- GP Friendly name: *Specify the interval to run quick scans per day*
- GP name: *Scan_QuickScanInterval*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3506,7 +3506,7 @@ If you disable this setting, scheduled scans will run at the scheduled time.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Start the scheduled scan only when computer is on but not in use*
- GP Friendly name: *Start the scheduled scan only when computer is on but not in use*
- GP name: *Scan_ScanOnlyIfIdle*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3564,7 +3564,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the day of the week to run a scheduled scan*
- GP Friendly name: *Specify the day of the week to run a scheduled scan*
- GP name: *Scan_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3610,7 +3610,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the time of day to run a scheduled scan*
- GP Friendly name: *Specify the time of day to run a scheduled scan*
- GP name: *Scan_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
- GP ADMX file name: *WindowsDefender.admx*
@ -3656,7 +3656,7 @@ If you disable or do not configure this setting, the antimalware service will be
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow antimalware service to remain running always*
- GP Friendly name: *Allow antimalware service to remain running always*
- GP name: *ServiceKeepAlive*
- GP path: *Windows Components\Microsoft Defender Antivirus*
- GP ADMX file name: *WindowsDefender.admx*
@ -3693,6 +3693,8 @@ ADMX Info:
<!--Description-->
This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
We do not recommend setting the value to less than 2 days to prevent machines from going out of date.
If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.
@ -3702,7 +3704,7 @@ If you disable or do not configure this setting, spyware security intelligence w
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days before spyware security intelligence is considered out of date*
- GP Friendly name: *Define the number of days before spyware security intelligence is considered out of date*
- GP name: *SignatureUpdate_ASSignatureDue*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3748,7 +3750,7 @@ If you disable or do not configure this setting, virus security intelligence wil
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days before virus security intelligence is considered out of date*
- GP Friendly name: *Define the number of days before virus security intelligence is considered out of date*
- GP name: *SignatureUpdate_AVSignatureDue*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3794,7 +3796,7 @@ If you disable or do not configure this setting, the list will remain empty by d
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define file shares for downloading security intelligence updates*
- GP Friendly name: *Define file shares for downloading security intelligence updates*
- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3840,7 +3842,7 @@ If you disable this setting, a scan will not start following a security intellig
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on scan after security intelligence update*
- GP Friendly name: *Turn on scan after security intelligence update*
- GP name: *SignatureUpdate_DisableScanOnUpdate*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3886,7 +3888,7 @@ If you disable this setting, security intelligence updates will be turned off wh
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow security intelligence updates when running on battery power*
- GP Friendly name: *Allow security intelligence updates when running on battery power*
- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3932,7 +3934,7 @@ If you disable this setting, security intelligence updates will not be initiated
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Initiate security intelligence update on startup*
- GP Friendly name: *Initiate security intelligence update on startup*
- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -3980,7 +3982,7 @@ If you disable or do not configure this setting, security intelligence update so
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the order of sources for downloading security intelligence updates*
- GP Friendly name: *Define the order of sources for downloading security intelligence updates*
- GP name: *SignatureUpdate_FallbackOrder*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4026,7 +4028,7 @@ If you disable or do not configure this setting, security intelligence updates w
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow security intelligence updates from Microsoft Update*
- GP Friendly name: *Allow security intelligence updates from Microsoft Update*
- GP name: *SignatureUpdate_ForceUpdateFromMU*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4072,7 +4074,7 @@ If you disable this setting, real-time security intelligence updates will disabl
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS*
- GP Friendly name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS*
- GP name: *SignatureUpdate_RealtimeSignatureDelivery*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4130,7 +4132,7 @@ If you disable or do not configure this setting, the check for security intellig
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the day of the week to check for security intelligence updates*
- GP Friendly name: *Specify the day of the week to check for security intelligence updates*
- GP name: *SignatureUpdate_ScheduleDay*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4176,7 +4178,7 @@ If you disable or do not configure this setting, the check for security intelli
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify the time to check for security intelligence updates*
- GP Friendly name: *Specify the time to check for security intelligence updates*
- GP name: *SignatureUpdate_ScheduleTime*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4220,7 +4222,7 @@ If you disable or do not configure this setting, security intelligence will be r
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define security intelligence location for VDI clients.*
- GP Friendly name: *Define security intelligence location for VDI clients.*
- GP name: *SignatureUpdate_SharedSignaturesLocation*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4266,7 +4268,7 @@ If you disable this setting, the antimalware service will not receive notificati
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS*
- GP Friendly name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS*
- GP name: *SignatureUpdate_SignatureDisableNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4312,7 +4314,7 @@ If you disable or do not configure this setting, a catch-up security intelligenc
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Define the number of days after which a catch-up security intelligence update is required*
- GP Friendly name: *Define the number of days after which a catch-up security intelligence update is required*
- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4358,7 +4360,7 @@ If you disable this setting or do not configure this setting, a check for new se
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Check for the latest virus and spyware security intelligence on startup*
- GP Friendly name: *Check for the latest virus and spyware security intelligence on startup*
- GP name: *SignatureUpdate_UpdateOnStartup*
- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
@ -4418,7 +4420,7 @@ In Windows 10, Basic membership is no longer available, so setting the value to
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Join Microsoft MAPS*
- GP Friendly name: *Join Microsoft MAPS*
- GP name: *SpynetReporting*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx*
@ -4464,7 +4466,7 @@ If you disable or do not configure this setting, Policy will take priority over
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure local setting override for reporting to Microsoft MAPS*
- GP Friendly name: *Configure local setting override for reporting to Microsoft MAPS*
- GP name: *Spynet_LocalSettingOverrideSpynetReporting*
- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
- GP ADMX file name: *WindowsDefender.admx*
@ -4513,7 +4515,7 @@ Valid remediation action values are:
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify threats upon which default action should not be taken when detected*
- GP Friendly name: *Specify threats upon which default action should not be taken when detected*
- GP name: *Threats_ThreatIdDefaultAction*
- GP path: *Windows Components\Microsoft Defender Antivirus\Threats*
- GP ADMX file name: *WindowsDefender.admx*
@ -4559,7 +4561,7 @@ If you disable or do not configure this setting, there will be no additional tex
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Display additional text to clients when they need to perform an action*
- GP Friendly name: *Display additional text to clients when they need to perform an action*
- GP name: *UX_Configuration_CustomDefaultActionToastString*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*
@ -4605,7 +4607,7 @@ If you enable this setting, Microsoft Defender Antivirus notifications will not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Suppress all notifications*
- GP Friendly name: *Suppress all notifications*
- GP name: *UX_Configuration_Notification_Suppress*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*
@ -4649,7 +4651,7 @@ If you enable this setting AM UI won't show reboot notifications.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Suppresses reboot notifications*
- GP Friendly name: *Suppresses reboot notifications*
- GP name: *UX_Configuration_SuppressRebootNotification*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*
@ -4693,7 +4695,7 @@ If you enable this setting AM UI won't be available to users.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable headless UI mode*
- GP Friendly name: *Enable headless UI mode*
- GP name: *UX_Configuration_UILockdown*
- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
- GP ADMX file name: *WindowsDefender.admx*

10
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -93,7 +93,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *ActiveX Control*
- GP Friendly name: *ActiveX Control*
- GP name: *MMC_ActiveXControl*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx*
@ -149,7 +149,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Extended View (Web View)*
- GP Friendly name: *Extended View (Web View)*
- GP name: *MMC_ExtendView*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMC.admx*
@ -205,7 +205,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Link to Web Address*
- GP Friendly name: *Link to Web Address*
- GP name: *MMC_LinkToWeb*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMC.admx*
@ -255,7 +255,7 @@ If you disable this setting or do not configure it, users can enter author mode
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict the user from entering author mode*
- GP Friendly name: *Restrict the user from entering author mode*
- GP name: *MMC_Restrict_Author*
- GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx*
@ -310,7 +310,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict users to the explicitly permitted list of snap-ins*
- GP Friendly name: *Restrict users to the explicitly permitted list of snap-ins*
- GP name: *MMC_Restrict_To_Permitted_Snapins*
- GP path: *Windows Components\Microsoft Management Console*
- GP ADMX file name: *MMC.admx*

48
windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
View File

@ -4774,7 +4774,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Settings*
- GP Friendly name: *Security Settings*
- GP name: *MMC_SecuritySettings_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -4828,7 +4828,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Settings*
- GP Friendly name: *Security Settings*
- GP name: *MMC_SecuritySettings_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -4882,7 +4882,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Templates*
- GP Friendly name: *Security Templates*
- GP name: *MMC_SecurityTemplates*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4936,7 +4936,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Send Console Message*
- GP Friendly name: *Send Console Message*
- GP name: *MMC_SendConsoleMessage*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -4990,7 +4990,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Server Manager*
- GP Friendly name: *Server Manager*
- GP name: *MMC_ServerManager*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5044,7 +5044,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Service Dependencies*
- GP Friendly name: *Service Dependencies*
- GP name: *MMC_ServiceDependencies*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5098,7 +5098,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Services*
- GP Friendly name: *Services*
- GP name: *MMC_Services*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5152,7 +5152,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Shared Folders*
- GP Friendly name: *Shared Folders*
- GP name: *MMC_SharedFolders*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5206,7 +5206,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Shared Folders Ext*
- GP Friendly name: *Shared Folders Ext*
- GP name: *MMC_SharedFolders_Ext*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5260,7 +5260,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Computers)*
- GP Friendly name: *Software Installation (Computers)*
- GP name: *MMC_SoftwareInstalationComputers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5314,7 +5314,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Computers)*
- GP Friendly name: *Software Installation (Computers)*
- GP name: *MMC_SoftwareInstalationComputers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5368,7 +5368,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Users)*
- GP Friendly name: *Software Installation (Users)*
- GP name: *MMC_SoftwareInstallationUsers_1*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5422,7 +5422,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Software Installation (Users)*
- GP Friendly name: *Software Installation (Users)*
- GP name: *MMC_SoftwareInstallationUsers_2*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5476,7 +5476,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *System Information*
- GP Friendly name: *System Information*
- GP name: *MMC_SysInfo*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5530,7 +5530,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *System Properties*
- GP Friendly name: *System Properties*
- GP name: *MMC_SysProp*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5584,7 +5584,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *TPM Management*
- GP Friendly name: *TPM Management*
- GP name: *MMC_TPMManagement*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5638,7 +5638,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Telephony*
- GP Friendly name: *Telephony*
- GP name: *MMC_Telephony*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5692,7 +5692,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remote Desktop Services Configuration*
- GP Friendly name: *Remote Desktop Services Configuration*
- GP name: *MMC_TerminalServices*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5746,7 +5746,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *WMI Control*
- GP Friendly name: *WMI Control*
- GP name: *MMC_WMI*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5800,7 +5800,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Windows Firewall with Advanced Security*
- GP Friendly name: *Windows Firewall with Advanced Security*
- GP name: *MMC_WindowsFirewall*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -5854,7 +5854,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Windows Firewall with Advanced Security*
- GP Friendly name: *Windows Firewall with Advanced Security*
- GP name: *MMC_WindowsFirewall_GP*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5908,7 +5908,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wired Network (IEEE 802.3) Policies*
- GP Friendly name: *Wired Network (IEEE 802.3) Policies*
- GP name: *MMC_WiredNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*
@ -5962,7 +5962,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wireless Monitor*
- GP Friendly name: *Wireless Monitor*
- GP name: *MMC_WirelessMon*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins*
- GP ADMX file name: *MMCSnapins.admx*
@ -6016,7 +6016,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Wireless Network (IEEE 802.11) Policies*
- GP Friendly name: *Wireless Network (IEEE 802.11) Policies*
- GP name: *MMC_WirelessNetworkPolicy*
- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions*
- GP ADMX file name: *MMCSnapins.admx*

2
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -1115,5 +1115,5 @@ ADMX Info:
<!--/Policy-->
<hr/>
p<!--/Policies-->
<!--/Policies-->

4730
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

File diff suppressed because it is too large Load Diff

64
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -20,6 +20,9 @@ manager: dansimp
## ApplicationManagement policies
<dl>
<dd>
<a href="#applicationmanagement-allowautomaticapparchiving">ApplicationManagement/AllowAutomaticAppArchiving</a>
</dd>
<dd>
<a href="#applicationmanagement-allowalltrustedapps">ApplicationManagement/AllowAllTrustedApps</a>
</dd>
@ -65,6 +68,62 @@ manager: dansimp
</dl>
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-allowautomaticapparchiving"></a>**ApplicationManagement/AllowAutomaticAppArchiving**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether the system can archive infrequently used apps.
- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps.
- If you disable this policy setting, then the system will not archive any apps.
If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Allow all trusted apps to install*
- GP name: *AllowAutomaticAppArchiving*
- GP path: *Windows Components/App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Explicit disable.
- 1 - Explicit enable.
- 65535 (default) - Not configured.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
@ -775,6 +834,9 @@ Value type is string.
<!--/Description-->
<!--SupportedValues-->
> [!NOTE]
> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute.
<!--/SupportedValues-->
<!--Example-->
Sample SyncML:
@ -794,7 +856,7 @@ Sample SyncML:
</Meta>
<Data>
<ForceRestart StartDateTime="2018-03-28T22:21:52Z"
Recurrence="[none/daily/weekly/monthly]"
Recurrence="[None/Daily/Weekly/Monthly]"
DayOfWeek=”1”
DayOfMonth=”12”
RunIfTaskIsMissed=”1”/>

2
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -183,7 +183,7 @@ If you do not configure this policy setting, Windows does not call the registere
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Notify antivirus programs when opening attachments*
- GP Friendly name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*

56
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -39,6 +39,9 @@ manager: dansimp
<dd>
<a href="#authentication-configurewebsigninallowedurls">Authentication/ConfigureWebSignInAllowedUrls</a>
</dd>
<dd>
<a href="#authentication-configurewebcamaccessdomainnames">Authentication/ConfigureWebcamAccessDomainNames</a>
</dd>
<dd>
<a href="#authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
</dd>
@ -307,6 +310,55 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com".
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="authentication-configurewebcamaccessdomainnames"></a>**Authentication/ConfigureWebcamAccessDomainNames**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios.
Web Sign-in is only supported on Azure AD Joined PCs.
**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com".
<!--/Description-->
<!--SupportedValues-->
@ -349,7 +401,7 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
<!--/Scope-->
<!--Description-->
> [!Warning]
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
@ -404,7 +456,7 @@ Value type is integer. Supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.

3
windows/client-management/mdm/policy-csp-browser.md
View File

@ -15,7 +15,8 @@ ms.localizationpriority: medium
# Policy CSP - Browser
> [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/).
> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm).
<!--Policies-->
## Browser policies

59
windows/client-management/mdm/policy-csp-defender.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 01/08/2020
ms.date: 12/29/2021
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -128,6 +128,9 @@ ms.collection: highpri
<dd>
<a href="#defender-schedulescantime">Defender/ScheduleScanTime</a>
</dd>
<dd>
<a href="#defender-securityintelligencelocation">Defender/SecurityIntelligenceLocation</a>
</dd>
<dd>
<a href="#defender-signatureupdatefallbackorder">Defender/SignatureUpdateFallbackOrder</a>
</dd>
@ -571,6 +574,9 @@ The following list shows the supported values:
<!--/SupportedValues-->
<!--/Policy-->
> [!IMPORTANT]
> AllowOnAccessProtection is officially being deprecated.
<hr/>
<!--Policy-->
@ -2060,6 +2066,57 @@ Valid values: 01380.
<hr/>
<!--Policy-->
<a href="" id="defender-securityintelligencelocation"></a>**Defender/SecurityIntelligenceLocation**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to define the security intelligence location for VDI-configured computers.
If you disable or do not configure this setting, security intelligence will be referred from the default local source.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Define security intelligence location for VDI clients*
- GP name: *SecurityIntelligenceLocation*
- GP element: *SecurityIntelligenceLocation*
- GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
- Empty string - no policy is set
- Non-empty string - the policy is set and security intelligence is gathered from the location
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-signatureupdatefallbackorder"></a>**Defender/SignatureUpdateFallbackOrder**

47
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -28,6 +28,9 @@ manager: dansimp
<dd>
<a href="#devicelock-allowsimpledevicepassword">DeviceLock/AllowSimpleDevicePassword</a>
</dd>
<dd>
<a href="#devicelock-allowscreentimeoutwhilelockeduserconfig">DeviceLock/AllowScreenTimeoutWhileLockedUserConfig</a>
</dd>
<dd>
<a href="#devicelock-alphanumericdevicepasswordrequired">DeviceLock/AlphanumericDevicePasswordRequired</a>
</dd>
@ -149,9 +152,49 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th
> This policy must be wrapped in an Atomic command.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Blocked
- 1 Allowed
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
@ -537,7 +580,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
- 0 (default) - No timeout is defined.
<!--/SupportedValues-->
<!--/Policy-->

83
windows/client-management/mdm/policy-csp-eap.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Policy CSP - EAP
description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - EAP
<hr/>
<!--Policies-->
## EAP policies
<dl>
<dd>
<a href="#eap-allowtls1_3">EAP/AllowTLS1_3</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="eap-allowtls1_3"></a>**EAP/AllowTLS1_3**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *AllowTLS1_3*
- GP name: *AllowTLS1_3*
- GP path: *Windows Components/EAP*
- GP ADMX file name: *EAP.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Use of TLS version 1.3 is not allowed for authentication.
- 1 (default) Use of TLS version 1.3 is allowed for authentication.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

77
windows/client-management/mdm/policy-csp-experience.md
View File

@ -40,9 +40,15 @@ manager: dansimp
<dd>
<a href="#experience-allowsaveasofofficefiles">Experience/AllowSaveAsOfOfficeFiles</a>
</dd>
<dd>
<a href="#experience-allowscreencapture">Experience/AllowScreenCapture</a>
</dd>
<dd>
<a href="#experience-allowsharingofofficefiles">Experience/AllowSharingOfOfficeFiles</a>
</dd>
<dd>
<a href="#experience-allowsimerrordialogpromptwhennosim">Experience/AllowSIMErrorDialogPromptWhenNoSIM</a>
</dd>
<dd>
<a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd>
@ -362,6 +368,43 @@ This policy is deprecated.
<hr/>
<!--Policy-->
<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
Describe what value are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-allowsharingofofficefiles"></a>**Experience/AllowSharingOfOfficeFiles**
@ -371,6 +414,40 @@ This policy is deprecated.
<!--/Description-->
<!--/Policy-->
<!--Policy-->
<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
Describes what value are supported in by this policy and meaning of each value is default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->

190
windows/client-management/mdm/policy-csp-humanpresence.md Normal file
View File

@ -0,0 +1,190 @@
---
title: Policy CSP - HumanPresence
description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - HumanPresence
<hr/>
<!--Policies-->
## HumanPresence policies
<dl>
<dd>
<a href="#humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
<dd>
<a href="#humanpresence-forceinstantwake">HumanPresence/ForceInstantWake</a>
</dd>
<dd>
<a href="#humanpresence-forcelocktimeout">HumanPresence/ForceLockTimeout</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantlock"></a>**HumanPresence/ForceInstantLock**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether the device can lock when a human presence sensor detects a human.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantLock*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantwake"></a>**HumanPresence/ForceInstantWake**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether the device can lock when a human presence sensor detects a human.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantWake*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forcelocktimeout"></a>**HumanPresence/ForceLockTimeout**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies at what distance the sensor wakes up when it sees a human in seconds.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceLockTimeout*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Integer value that specifies whether the device can lock when a human presence sensor detects a human.
The following list shows the supported values:
- 120 = 120 seconds
- 30 = 30 seconds
- 10 = 10 seconds
- 0 = DefaultToUserChoice
- Defaults to 0
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

59
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -212,6 +212,9 @@ manager: dansimp
<dd>
<a href="#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains">InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains</a>
</dd>
<dd>
<a href="#internetexplorer-enableextendediemodehotkeys">InternetExplorer/EnableExtendedIEModeHotkeys</a>
</dd>
<dd>
<a href="#internetexplorer-includealllocalsites">InternetExplorer/IncludeAllLocalSites</a>
</dd>
@ -1953,7 +1956,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information:
@ -4270,6 +4273,58 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-enableextendediemodehotkeys"></a>**InternetExplorer/EnableExtendedIEModeHotkeys**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as "Ctrl+S" to have "Save as" functionality.
- If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer.
- If you disable, or don't configure this policy, extended hotkeys will not work in Internet Explorer mode.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled.
- 1 - Enabled.
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allows enterprises to provide their users with a single-browser experience*
- GP name: *EnableExtendedIEModeHotkeys*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-includealllocalsites"></a>**InternetExplorer/IncludeAllLocalSites**
@ -13951,4 +14006,4 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--/Policies-->
<!--/Policies-->

55
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -24,6 +24,9 @@ manager: dansimp
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
</dd>
<dd>
<a href="#kerberos-cloudkerberosticketretrievalenabled">Kerberos/CloudKerberosTicketRetrievalEnabled</a>
</dd>
<dd>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
</dd>
@ -100,6 +103,58 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="kerberos-cloudkerberosticketretrievalenabled"></a>**Kerberos/CloudKerberosTicketRetrievalEnabled**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows retrieving the cloud Kerberos ticket during the logon.
- If you disable (0) or do not configure this policy setting, the cloud Kerberos ticket is not retrieved during the logon.
- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the logon.
<!--/Description-->
<!--SupportedValues-->
Valid values:
0 (default) - Disabled.
1 - Enabled.
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow retrieving the cloud Kerberos ticket during the logon*
- GP name: *CloudKerberosTicketRetrievalEnabled*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**

51
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -25,6 +25,8 @@ manager: dansimp
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd> <dd>
<a href="#localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
@ -272,8 +274,55 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This setting allows the administrator to enable the guest Administrator account.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP Friendly name: *Accounts: Enable Guest Account Status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - disabled (local Administrator account is disabled).
- 1 - enabled (local Administrator account is enabled).
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
<!--SupportedSKUs-->

117
windows/client-management/mdm/policy-csp-memorydump.md Normal file
View File

@ -0,0 +1,117 @@
---
title: Policy CSP - MemoryDump
description: Use the Policy CSP
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - MemoryDump
<hr/>
<!--Policies-->
## MemoryDump policies
<dl>
<dd>
<a href="#memorydump-allowcrashdump">MemoryDump/AllowCrashDump</a>
</dd>
<dd>
<a href="#memorydump-allowlivedump">MemoryDump/AllowLiveDump</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="memorydump-allowcrashdump"></a>**MemoryDump/AllowCrashDump**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting decides if crash dump collection on the machine is allowed or not.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disable crash dump collection.
- 1 (default) - Allow crash dump collection.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="memorydump-allowlivedump"></a>**MemoryDump/AllowLiveDump**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting decides if crash dump collection on the machine is allowed or not.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disable crash dump collection.
- 1 (default) - Allow crash dump collection.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

180
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 10/12/2021
ms.date: 1/31/2022
ms.reviewer:
manager: dansimp
---
@ -29,12 +29,21 @@ manager: dansimp
<dd>
<a href="#mixedreality-brightnessbuttondisabled">MixedReality/BrightnessButtonDisabled</a>
</dd>
<dd>
<a href="#mixedreality-configuremovingplatform">MixedReality/ConfigureMovingPlatform</a>
</dd>
<dd>
<a href="#mixedreality-fallbackdiagnostics">MixedReality/FallbackDiagnostics</a>
</dd>
<dd>
<a href="#mixedreality-headtrackingmode">MixedReality/HeadTrackingMode/a>
</dd>
<dd>
<a href="#mixedreality-microphonedisabled">MixedReality/MicrophoneDisabled</a>
</dd>
<dd>
<a href="#mixedreality-visitorautologon">MixedReality/VisitorAutoLogon</a>
</dd>
<dd>
<a href="#mixedreality-volumebuttondisabled">MixedReality/VolumeButtonDisabled</a>
</dd>
@ -49,8 +58,8 @@ manager: dansimp
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
Steps to use this policy correctly:
@ -62,7 +71,7 @@ Steps to use this policy correctly:
1. Enroll HoloLens devices and verify both configurations get applied to the device.
1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
> [!NOTE]
> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
@ -77,22 +86,23 @@ Steps to use this policy correctly:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/Description-->
This new AutoLogonUser policy controls whether a user will be automatically logged on. Some customers want to set up devices that are tied to an identity but don't want any sign in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up login.
When the policy is set to a non-empty value, it specifies the email address of the auto log on user. The specified user must logon to the device at least once to enable autologon.
When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must logon to the device at least once to enable autologon.
The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser`
<!--SupportedValues-->
String value
- User with the same email address will have autologon enabled.
On a device where this policy is configured, the user specified in the policy will need to log on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log on as a different user, the policy must first be disabled.
On a device where this policy is configured, the user specified in the policy will need to log-on at least once. Subsequent reboots of the device after the first logon will have the specified user automatically logged on. Only a single autologon user is supported. Once enabled, the automatically logged on user will not be able to log out manually. To log-on as a different user, the policy must first be disabled.
> [!NOTE]
>
@ -120,6 +130,8 @@ This policy setting controls for how many days Azure AD group membership cache i
<!--/ADMXBacked-->
<!--SupportedValues-->
- Integer value
Supported values are 0-60. The default value is 0 (day) and maximum value is 60 (days).
<!--/SupportedValues-->
@ -133,8 +145,8 @@ Supported values are 0-60. The default value is 0 (day) and maximum value is 60
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -158,6 +170,8 @@ This policy setting controls if pressing the brightness button changes the brigh
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - False (Default)
@ -167,6 +181,48 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-configuremovingplatform"></a>**MixedReality/ConfigureMovingPlatform**
<!--SupportedSKUs-->
|Windows Edition|Supported|
|--- |--- |
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it is turned off / on or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:).
<!--/Description-->
<!--ADMXBacked-->
<!--/ADMXBacked-->
<!--SupportedValues-->
- Integer value
- 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system.
- 1 Force off - Moving platform is disabled and cannot be changed by user.
- 2 Force on - Moving platform is enabled and cannot be changed by user.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-fallbackdiagnostics"></a>**MixedReality/FallbackDiagnostics**
@ -174,8 +230,8 @@ The following list shows the supported values:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -199,6 +255,8 @@ This policy setting controls when and if diagnostic logs can be collected using
<!--/ADMXBacked-->
<!--SupportedValues-->
- Integer value
The following list shows the supported values:
- 0 - Disabled
@ -209,6 +267,49 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-headtrackingmode"></a>**MixedReality/HeadTrackingMode**
<!--SupportedSKUs-->
|Windows Edition|Supported|
|--- |--- |
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy configures behavior of HUP to determine, which algorithm to use for head tracking. It requires a reboot for the policy to take effect.
<!--/Description-->
<!--ADMXBacked-->
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - Feature Default feature based / SLAM-based tracker (Default)
- 1 - Constellation LR constellation based tracker
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-microphonedisabled"></a>**MixedReality/MicrophoneDisabled**
@ -216,8 +317,8 @@ The following list shows the supported values:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -241,6 +342,8 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - False (Default)
@ -257,8 +360,8 @@ The following list shows the supported values:
|Windows Edition|Supported|
|--- |--- |
|HoloLens (1st gen) Development Edition|No|
|HoloLens (1st gen) Commercial Suite|No|
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
@ -282,6 +385,8 @@ This policy setting controls if pressing the volume button changes the volume or
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 - False (Default)
@ -291,4 +396,47 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mixedreality-visitorautologon"></a>**MixedReality/VisitorAutoLogon**
<!--SupportedSKUs-->
|Windows Edition|Supported|
|--- |--- |
|HoloLens (first gen) Development Edition|No|
|HoloLens (first gen) Commercial Suite|No|
|HoloLens 2|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in if no other user has logged in on the device before.
<!--/Description-->
<!--ADMXBacked-->
<!--/ADMXBacked-->
<!--SupportedValues-->
- Boolean value
The following list shows the supported values:
- 0 Disabled (Default)
- 1 Enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

86
windows/client-management/mdm/policy-csp-newsandinterests.md Normal file
View File

@ -0,0 +1,86 @@
---
title: Policy CSP - NewsAndInterests
description: Learn how Policy CSP - NewsandInterests contains a list of news and interests.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - NewsAndInterests
<hr/>
<!--Policies-->
## NewsAndInterests policies
<dl>
<dd>
<a href="#newsandinterests-allownewsandinterests">NewsAndInterests/AllowNewsAndInterests</a>
</dd>
<hr/>
<!--Policy-->
<a href="" id="newsandinterests-allownewsandinterests"></a>**NewsAndInterests/AllowNewsAndInterests**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether to allow the entire widgets experience, including the content on taskbar.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 1 - Default - Allowed
- 0 - Not allowed.
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specifies whether to allow the entire widgets experience, including the content on taskbar*.
- GP name: *AllowNewsAndInterests*
- GP path: *Network/NewsandInterests*
- GP ADMX file name: *NewsandInterests.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--/Policies-->

77
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -31,6 +31,9 @@ manager: dansimp
<dd>
<a href="#notifications-disallowtilenotification">Notifications/DisallowTileNotification</a>
</dd>
<dd>
<a href="#notifications-wnsendpoint">Notifications/WnsEndpoint</a>
</dd>
</dl>
@ -208,5 +211,77 @@ Validation:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="notifications-wnsendpoint"></a>**Notifications/WnsEndpoint**
<!--/Policies-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications.
If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com.
Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint*
- GP name: *WnsEndpoint*
- GP path: *Start Menu and Taskbar/Notifications*
- GP ADMX file name: *WPN.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
If the policy is not specified, we will default our connection to client.wns.windows.com.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

71
windows/client-management/mdm/policy-csp-power.md
View File

@ -14,14 +14,16 @@ manager: dansimp
# Policy CSP - Power
<hr/>
<!--Policies-->
## Power policies
<dl>
<dd>
<a href="#power-allowhibernate">Power/AllowHibernate</a>
</dd>
<dd>
<a href="#power-allowstandbystateswhensleepingonbattery">Power/AllowStandbyStatesWhenSleepingOnBattery</a>
</dd>
@ -98,6 +100,71 @@ manager: dansimp
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="power-allowhibernate"></a>**Power/AllowHibernate**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>No</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Decides if hibernate on the machine is allowed or not*
- GP name: *AllowHibernate*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->

302
windows/client-management/mdm/policy-csp-printers.md
View File

@ -22,6 +22,18 @@ manager: dansimp
## Printers policies
<dl>
<dd>
<a href="#printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
</dd>
<dd>
<a href="#printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
</dd>
<dd>
<a href="#printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
</dd>
<dd>
<a href="#printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
</dd>
<dd>
<a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
@ -42,6 +54,296 @@ manager: dansimp
<hr/>
<!--Policy-->
<a href="" id="printers-approvedusbprintdevices"></a>**Printers/ApprovedUsbPrintDevices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
Parent deliverable: 26209274 - Device Control: Printer
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *ApprovedUsbPrintDevices*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-approvedusbprintdevicesuser"></a>**Printers/ApprovedUsbPrintDevicesUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *ApprovedUsbPrintDevicesUser*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontrol"></a>**Printers/EnableDeviceControl**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing.
If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *EnableDeviceControl*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontroluser"></a>**Printers/EnableDeviceControlUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing.
If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *EnableDeviceControlUser*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**

135
windows/client-management/mdm/policy-csp-remotedesktop.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Policy CSP - RemoteDesktop
description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - RemoteDesktop
<hr/>
<!--Policies-->
## RemoteDesktop policies
<dl>
<dd>
<a href="#remotedesktop-autosubscription">RemoteDesktop/AutoSubscription</a>
</dd>
<dd>
<a href="#remotedesktop-loadaadcredkeyfromprofile">RemoteDesktop/LoadAadCredKeyFromProfile</a>
</dd>
</dl>
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="remotedesktop-autosubscription"></a>**RemoteDesktop/AutoSubscription<**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Customize warning messages*
- GP name: *AutoSubscription*
- GP path: *System/Remote Desktop*
- GP ADMX file name: *remotedesktop.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="remotedesktop-loadaadcredkeyfromprofile"></a>**RemoteDesktop/LoadAadCredKeyFromProfile**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled.
- 1 - Enabled.
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow DPAPI cred keys to be loaded from user profiles during logon for AADJ accounts*
- GP name: *LoadAadCredKeyFromProfile*
- GP path: *System/RemoteDesktop*
- GP ADMX file name: *remotedesktop.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

12
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -93,7 +93,7 @@ You can limit the number of users who can connect simultaneously by configuring
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow users to connect remotely by using Remote Desktop Services*
- GP Friendly name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
@ -149,7 +149,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set client connection encryption level*
- GP Friendly name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
@ -199,7 +199,7 @@ If you do not configure this policy setting, client drive redirection and Clipbo
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow drive redirection*
- GP Friendly name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
@ -245,7 +245,7 @@ If you disable this setting or leave it not configured, the user will be able to
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow passwords to be saved*
- GP Friendly name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
@ -297,7 +297,7 @@ If you do not configure this policy setting, automatic logon is not specified at
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Always prompt for password upon connection*
- GP Friendly name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
@ -349,7 +349,7 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require secure RPC communication*
- GP Friendly name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*

30
windows/client-management/mdm/policy-csp-remotemanagement.md
View File

@ -114,7 +114,7 @@ If you disable or do not configure this policy setting, the WinRM client does no
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP Friendly name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -160,7 +160,7 @@ If you disable or do not configure this policy setting, the WinRM service does n
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Basic authentication*
- GP Friendly name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -206,7 +206,7 @@ If you disable or do not configure this policy setting, the WinRM client does no
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP Friendly name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -252,7 +252,7 @@ If you disable or do not configure this policy setting, the WinRM service does n
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow CredSSP authentication*
- GP Friendly name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -311,7 +311,7 @@ Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FE
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow remote server management through WinRM*
- GP Friendly name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -357,7 +357,7 @@ If you disable or do not configure this policy setting, the WinRM client sends o
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP Friendly name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -403,7 +403,7 @@ If you disable or do not configure this policy setting, the WinRM client sends o
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow unencrypted traffic*
- GP Friendly name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -449,7 +449,7 @@ If you disable or do not configure this policy setting, the WinRM client uses Di
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow Digest authentication*
- GP Friendly name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -495,7 +495,7 @@ If you disable or do not configure this policy setting, the WinRM client uses Ne
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP Friendly name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -541,7 +541,7 @@ If you disable or do not configure this policy setting, the WinRM service accept
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow Negotiate authentication*
- GP Friendly name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -589,7 +589,7 @@ If you enable and then disable this policy setting,any values that were previous
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disallow WinRM from storing RunAs credentials*
- GP Friendly name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -641,7 +641,7 @@ If HardeningLevel is set to None, all requests are accepted (though they are not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify channel binding token hardening level*
- GP Friendly name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -687,7 +687,7 @@ If you disable or do not configure this policy setting and the WinRM client need
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Trusted Hosts*
- GP Friendly name: *Trusted Hosts*
- GP name: *TrustedHosts*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -737,7 +737,7 @@ A listener might be automatically created on port 80 to ensure backward compatib
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn On Compatibility HTTP Listener*
- GP Friendly name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
@ -787,7 +787,7 @@ A listener might be automatically created on port 443 to ensure backward compati
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn On Compatibility HTTPS Listener*
- GP Friendly name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*

4
windows/client-management/mdm/policy-csp-remoteprocedurecall.md
View File

@ -78,7 +78,7 @@ Note: This policy will not be applied until the system is rebooted.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable RPC Endpoint Mapper Client Authentication*
- GP Friendly name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
@ -137,7 +137,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Restrict Unauthenticated RPC clients*
- GP Friendly name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*

14
windows/client-management/mdm/policy-csp-remoteshell.md
View File

@ -89,7 +89,7 @@ If you set this policy to disabled, new remote shell connections are rejec
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Remote Shell Access*
- GP Friendly name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -137,7 +137,7 @@ If you disable or do not configure this policy setting, the default number is fi
<!--ADMXBacked-->
ADMX Info:
- GP English name: *MaxConcurrentUsers*
- GP Friendly name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -185,7 +185,7 @@ If you do not configure or disable this policy setting, the default value of 900
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify idle Timeout*
- GP Friendly name: *Specify idle Timeout*
- GP name: *IdleTimeout*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -233,7 +233,7 @@ If you disable or do not configure this policy setting, the value 150 is used by
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum amount of memory in MB per Shell*
- GP Friendly name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -279,7 +279,7 @@ If you disable or do not configure this policy setting, the limit is five proce
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum number of processes per Shell*
- GP Friendly name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -327,7 +327,7 @@ If you disable or do not configure this policy setting, by default the limit is
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify maximum number of remote shells per user*
- GP Friendly name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
@ -369,7 +369,7 @@ This policy setting is deprecated and has no effect when set to any state: Enabl
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Specify Shell Timeout*
- GP Friendly name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*

50
windows/client-management/mdm/policy-csp-search.md
View File

@ -24,6 +24,9 @@ manager: dansimp
<dd>
<a href="#search-allowcloudsearch">Search/AllowCloudSearch</a>
</dd>
<dd>
<a href="#search-allowcortanainaad">Search/AllowCortanaInAAD</a>
</dd>
<dd>
<a href="#search-allowfindmyfiles">Search/AllowFindMyFiles</a>
</dd>
@ -96,7 +99,7 @@ Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Cloud Search*
- GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCloudSearch*
- GP element: *AllowCloudSearch_Dropdown*
- GP path: *Windows Components/Search*
@ -115,6 +118,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="search-allowcortanainaad"></a>**Search/AllowCortanaInAAD**
<!--SupportedSKUs-->
@ -137,6 +141,30 @@ The following list shows the supported values:
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the cortana opt-in page during windows setup out of the box experience.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCortanaInAAD*
- GP element: *AllowCloudSearch_Dropdown*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="search-allowfindmyfiles"></a>**Search/AllowFindMyFiles**
@ -168,7 +196,7 @@ Controls if the user can configure search to Find My Files mode, which searches
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Find My Files*
- GP Friendly name: *Allow Find My Files*
- GP name: *AllowFindMyFiles*
- GP path: *Computer Configuration/Administrative Templates/Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -228,7 +256,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow indexing of encrypted files*
- GP Friendly name: *Allow indexing of encrypted files*
- GP name: *AllowIndexingEncryptedStoresOrItems*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -278,7 +306,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow search and Cortana to use location*
- GP Friendly name: *Allow search and Cortana to use location*
- GP name: *AllowSearchToUseLocation*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -340,7 +368,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow use of diacritics*
- GP Friendly name: *Allow use of diacritics*
- GP name: *AllowUsingDiacritics*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -424,7 +452,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Always use automatic language detection when indexing content and properties*
- GP Friendly name: *Always use automatic language detection when indexing content and properties*
- GP name: *AlwaysUseAutoLangDetection*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -472,7 +500,7 @@ If enabled, the search indexer backoff feature will be disabled. Indexing will c
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Disable indexer backoff*
- GP Friendly name: *Disable indexer backoff*
- GP name: *DisableBackoff*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -524,7 +552,7 @@ If you disable or do not configure this policy setting, locations on removable d
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Do not allow locations on removable drives to be added to libraries*
- GP Friendly name: *Do not allow locations on removable drives to be added to libraries*
- GP name: *DisableRemovableDriveIndexing*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -577,7 +605,7 @@ If you disable this policy setting, queries will be performed on the web and web
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Don't search the web or display web results in Search*
- GP Friendly name: *Don't search the web or display web results in Search*
- GP name: *DoNotUseWebResults*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -629,7 +657,7 @@ When this policy is disabled or not configured, Windows Desktop Search automatic
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Stop indexing in the event of limited hard drive space*
- GP Friendly name: *Stop indexing in the event of limited hard drive space*
- GP name: *StopIndexingOnLimitedHardDriveSpace*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
@ -677,7 +705,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Prevent clients from querying the index remotely*
- GP Friendly name: *Prevent clients from querying the index remotely*
- GP name: *PreventRemoteQueries*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*

2
windows/client-management/mdm/policy-csp-security.md
View File

@ -190,7 +190,7 @@ Admin access is required. The prompt will appear on first admin logon after a re
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure the system to clear the TPM if it is not in a ready state.*
- GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.*
- GP name: *ClearTPMIfNotReady_Name*
- GP path: *System/Trusted Platform Module Services*
- GP ADMX file name: *TPM.admx*

2
windows/client-management/mdm/policy-csp-servicecontrolmanager.md
View File

@ -75,7 +75,7 @@ If you disable or do not configure this policy setting, the stricter security se
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enable svchost.exe mitigation options*
- GP Friendly name: *Enable svchost.exe mitigation options*
- GP name: *SvchostProcessMitigationEnable*
- GP path: *System/Service Control Manager Settings/Security Settings*
- GP ADMX file name: *ServiceControlManager.admx*

65
windows/client-management/mdm/policy-csp-settings.md
View File

@ -29,6 +29,9 @@ manager: dansimp
<dd>
<a href="#settings-allowdatetime">Settings/AllowDateTime</a>
</dd>
<dd>
<a href="#settings-alloweditdevicename">Settings/AllowEditDeviceName</a>
</dd>
<dd>
<a href="#settings-allowlanguage">Settings/AllowLanguage</a>
</dd>
@ -191,6 +194,68 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy disables edit device name option on Settings.
<!--/Description-->
<!--SupportedValues-->
Describes what value are supported in by this policy and meaning of each value, default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**

136
windows/client-management/mdm/policy-csp-start.md
View File

@ -51,6 +51,9 @@ manager: dansimp
<dd>
<a href="#start-allowpinnedfoldervideos">Start/AllowPinnedFolderVideos</a>
</dd>
<dd>
<a href="#start-configurestartpins">Start/ConfigureStartPins</a>
</dd>
<dd>
<a href="#start-disablecontextmenus">Start/DisableContextMenus</a>
</dd>
@ -108,6 +111,9 @@ manager: dansimp
<dd>
<a href="#start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
</dd>
<dd>
<a href="#start-showorhidemostusedapps">Start/ShowOrHideMostUsedApps</a>
</dd>
<dd>
<a href="#start-startlayout">Start/StartLayout</a>
</dd>
@ -526,6 +532,67 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="start-configurestartpins"></a>**Start/ConfigureStartPins**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the Windows 11 start menu experience.
It contains details on how to configure the start menu on Windows 11, see [/windows-hardware/customize/desktop/customize-the-windows-11-start-menu](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu)
<!--/Description-->
<!--SupportedValues-->
This string policy will take a JSON file (expected name LayoutModification.json), which enumerates the items to pin and their relative order.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-disablecontextmenus"></a>**Start/DisableContextMenus**
@ -1498,6 +1565,75 @@ To validate on Desktop, do the following:
<hr/>
<!--Policy-->
<a href="" id="start-showorhidemostusedapps"></a>**Start/ShowOrHideMostUsedApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 - Force showing of Most Used Apps in Start Menu, user cannot change in Settings
- 0 - Force hiding of Most Used Apps in Start Menu, user cannot change in Settings
- Not set - User can use Settings to hide or show Most Used Apps in Start Menu
On clean install, the user setting defaults to "hide".
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-startlayout"></a>**Start/StartLayout**

259
windows/client-management/mdm/policy-csp-storage.md
View File

@ -48,6 +48,18 @@ manager: dansimp
<dd>
<a href="#storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenyreadaccessperdevice">Storage/WPDDevicesDenyReadAccessPerDevice</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenyreadaccessperuser">Storage/WPDDevicesDenyReadAccessPerUser</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenywriteaccessperdevice">Storage/WPDDevicesDenyWriteAccessPerDevice</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenywriteaccessperuser">Storage/WPDDevicesDenyWriteAccessPerUser</a>
</dd>
</dl>
@ -566,5 +578,252 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenyreadaccessperdevice"></a>**Storage/WPDDevicesDenyReadAccessPerDevice**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny read access*
- GP name: *WPDDevices_DenyRead_Access_2*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenyreadaccessperuser"></a>**Storage/WPDDevicesDenyReadAccessPerUser**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny read access*
- GP name: *WPDDevices_DenyRead_Access_1*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenywriteaccessperdevice"></a>**Storage/WPDDevicesDenyWriteAccessPerDevice**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny write access*
- GP name: *WPDDevices_DenyWrite_Access_2*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenywriteaccessperuser"></a>**Storage/WPDDevicesDenyWriteAccessPerUser**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny write access*
- GP name: *WPDDevices_DenyWrite_Access_1*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies-->

10
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 03/03/2022
ms.reviewer:
manager: dansimp
---
@ -1084,15 +1084,15 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled.
Specifies whether the emoji, GIF (only in Windows 11), and kaomoji (only in Windows 11) buttons are available or unavailable for the touch keyboard. When this policy is set to disabled, the buttons are hidden and unavailable.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - The OS determines when it's most appropriate to be available.
- 1 - Emoji button on keyboard is always available.
- 2 - Emoji button on keyboard is always disabled.
- 0 (default) - The OS determines when buttons are most appropriate to be available.
- 1 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always available.
- 2 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always unavailable.
<!--/SupportedValues-->
<!--/Policy-->

865
windows/client-management/mdm/policy-csp-update.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/surfacehub-csp.md
View File

@ -31,7 +31,7 @@ SurfaceHub
--------Email
--------CalendarSyncEnabled
--------ErrorContext
--------PasswordRotationPeriod
--------PasswordRotationEnabled
----MaintenanceHoursSimple
--------Hours
------------StartTime

17
windows/client-management/mdm/toc.yml
View File

@ -149,8 +149,6 @@ items:
items:
- name: BitLocker DDF file
href: bitlocker-ddf-file.md
- name: BrowserFavorite CSP
href: browserfavorite-csp.md
- name: CellularSettings CSP
href: cellularsettings-csp.md
- name: CertificateStore CSP
@ -701,6 +699,8 @@ items:
href: policy-csp-display.md
- name: DmaGuard
href: policy-csp-dmaguard.md
- name: EAP
href: policy-csp-eap.md
- name: Education
href: policy-csp-education.md
- name: EnterpriseCloudPrint
@ -721,6 +721,8 @@ items:
href: policy-csp-games.md
- name: Handwriting
href: policy-csp-handwriting.md
- name: HumanPresence
href: policy-csp-humanpresence.md
- name: InternetExplorer
href: policy-csp-internetexplorer.md
- name: Kerberos
@ -739,6 +741,8 @@ items:
href: policy-csp-lockdown.md
- name: Maps
href: policy-csp-maps.md
- name: MemoryDump
href: policy-csp-memorydump.md
- name: Messaging
href: policy-csp-messaging.md
- name: MixedReality
@ -753,6 +757,8 @@ items:
href: policy-csp-networkisolation.md
- name: NetworkListManager
href: policy-csp-networklistmanager.md
- name: NewsAndInterests
href: policy-csp-newsandinterests.md
- name: Notifications
href: policy-csp-notifications.md
- name: Power
@ -763,6 +769,8 @@ items:
href: policy-csp-privacy.md
- name: RemoteAssistance
href: policy-csp-remoteassistance.md
- name: RemoteDesktop
href: policy-csp-remotedesktop.md
- name: RemoteDesktopServices
href: policy-csp-remotedesktopservices.md
- name: RemoteManagement
@ -955,6 +963,11 @@ items:
items:
- name: WindowsAdvancedThreatProtection DDF file
href: windowsadvancedthreatprotection-ddf.md
- name: WindowsAutoPilot CSP
href: windowsautopilot-csp.md
items:
- name: WindowsAutoPilot DDF file
href: windowsautopilot-ddf-file.md
- name: WindowsDefenderApplicationGuard CSP
href: windowsdefenderapplicationguard-csp.md
items:

2
windows/client-management/mdm/update-csp.md
View File

@ -204,7 +204,7 @@ Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machi
- Condition 4: Machine should be within the uninstall period
> [!NOTE]
> This only works for Semi-Annual Channel Targeted devices.
> This only works for General Availability Channel Targeted devices.
If the conditions are not true, the device will not Roll Back the Latest Feature Update.

22
windows/client-management/mdm/w4-application-csp.md
View File

@ -19,11 +19,12 @@ Use an **APPLICATION** configuration service provider that has an APPID of w4 to
The default security roles are defined in the root characteristic, and map to each subnode unless specific permission is granted to the subnode. The default security roles are Manager, Operator, and Operator TPS.
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
```console
```cmd
APPLICATION
----APPID
----NAME
@ -45,11 +46,10 @@ This parameter takes a string value. The possible values to configure the NAME p
- no value specified
> **Note**  MDM servers should resend APPLICATION/NAME to DMAcc after an upgrade because this value is displayed in the UI but not saved in Windows Phone 8.1 and cannot be migrated to Windows 10.
> [!NOTE]
> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
 
If no value is specified, the registry location will default to &lt;unnamed&gt;.
If no value is specified, the registry location will default to `<unnamed>`.
If `Name` is greater than 40 characters, it will be truncated to 40 characters.
@ -77,13 +77,3 @@ Optional. The maximum authorized size, in KB, for multimedia content. This param
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

29
windows/client-management/mdm/windowsautopilot-csp.md Normal file
View File

@ -0,0 +1,29 @@
---
title: WindowsAutoPilot CSP
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot.
ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6
ms.reviewer:
manager: dansimp
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 02/07/2022
---
# WindowsAutoPilot CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level.
**./Vendor/MSFT/WindowsAutopilot**
Root node. Supported operation is Get.
**HardwareMismatchRemediationData**
Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot.

76
windows/client-management/mdm/windowsautopilot-ddf-file.md Normal file
View File

@ -0,0 +1,76 @@
---
title: WindowsAutoPilot DDF file
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutoPilot DDF file configuration service provider (CSP) .
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 02/07/2022
ms.reviewer:
manager: dansimp
---
# WindowsAutoPilot DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
```xml
<NodeName>WindowsAutopilot</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>These settings enable configuration of Windows Autopilot</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/WindowsAutopilot</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999, 10.0.19041.1202, 10.0.19042.1202, 10.0.19043.1202</OsBuildVersion>
<CspVersion>1.0</CspVersion>
</Applicability>
<ExposedTo>
<Mdm />
</ExposedTo>
</DFProperties>
<Node>
<NodeName>HardwareMismatchRemediationData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This data is used to remediate Autopilot hardware mismatches.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
</cspDefinition>
</identity>
```

20
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -67,7 +67,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardFileType*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -91,7 +91,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings*
- GP name: *AppHVSIClipboardSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -124,7 +124,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure Microsoft Defender Application Guard print settings*
- GP Friendly name: *Configure Microsoft Defender Application Guard print settings*
- GP name: *AppHVSIPrintingSettings*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -146,7 +146,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP name: *BlockNonEnterpriseContent*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -165,7 +165,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow data persistence for Microsoft Defender Application Guard*
- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
- GP name: *AllowPersistence*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -189,7 +189,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP name: *AllowVirtualGPU*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -208,7 +208,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP name: *SaveFilesToHost*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -230,7 +230,7 @@ If you disable or dont configure this setting, certificates are not shared wi
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP name: *CertificateThumbprints*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -259,7 +259,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP name: *AllowCameraMicrophoneRedirection*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
@ -317,7 +317,7 @@ The following list shows the supported values:
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow auditing events in Microsoft Defender Application Guard*
- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*

25
windows/client-management/new-policies-for-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: New policies for Windows 10 (Windows 10)
description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
ms.reviewer:
manager: dansimp
@ -20,8 +20,8 @@ ms.topic: reference
**Applies to**
- Windows 10
- Windows 11
- Windows 10
- Windows 11
As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
@ -57,7 +57,7 @@ The following Group Policy settings were added in Windows 10, version 1903:
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
## New Group Policy settings in Windows 10, version 1809
## New Group Policy settings in Windows 10, version 1809
The following Group Policy settings were added in Windows 10, version 1809:
@ -242,7 +242,7 @@ The following Group Policy settings were added in Windows 10, version 1809:
- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network
## New Group Policy settings in Windows 10, version 1803
## New Group Policy settings in Windows 10, version 1803
The following Group Policy settings were added in Windows 10, version 1803:
@ -282,7 +282,7 @@ The following Group Policy settings were added in Windows 10, version 1803:
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area
## New Group Policy settings in Windows 10, version 1709
## New Group Policy settings in Windows 10, version 1709
The following Group Policy settings were added in Windows 10, version 1709:
@ -351,7 +351,7 @@ The following Group Policy settings were added in Windows 10, version 1709:
- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update
## New Group Policy settings in Windows 10, version 1703
## New Group Policy settings in Windows 10, version 1703
The following Group Policy settings were added in Windows 10, version 1703:
@ -481,10 +481,9 @@ For a spreadsheet of Group Policy settings included in Windows 10 and Windows Se
## New MDM policies
Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as:
Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education includes settings from Windows Phone 8.1, plus new or enhanced settings for Windows 10, such as:
- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
- Enhanced Bluetooth policies
@ -508,7 +507,7 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and
Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md).
If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference.
@ -519,7 +518,3 @@ No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-e
[Manage corporate devices](manage-corporate-devices.md)
[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10)
 

3
windows/client-management/quick-assist.md
View File

@ -19,6 +19,9 @@ Quick Assist is a Windows application that enables a person to share their devic
All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesnt have to authenticate.
> [!NOTE]
> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
### Authentication
The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time.

2
windows/client-management/troubleshoot-stop-errors.md
View File

@ -129,7 +129,7 @@ More information on how to use Dumpchk.exe to check your dump files:
### Pagefile Settings
- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](/windows/client-management/introduction-page-file)
- [Introduction of page file in Long-Term Servicing Channel and General Availability Channel of Windows](/windows/client-management/introduction-page-file)
- [How to determine the appropriate page file size for 64-bit versions of Windows](/windows/client-management/determine-appropriate-page-file-size)
- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](/windows/client-management/generate-kernel-or-complete-crash-dump)

12
windows/client-management/troubleshoot-tcpip-netmon.md
View File

@ -7,7 +7,7 @@ ms.topic: troubleshooting
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.date: 12/06/2018
ms.date: 01/27/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -15,10 +15,10 @@ ms.collection: highpri
# Collect data using Network Monitor
In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
In this article, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
> [!NOTE]
> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide).
> Network Monitor is the archived protocol analyzer and is no longer under development. Also, Microsoft Message Analyzer (MMA) was retired and its download packages were removed from microsoft.com sites on November 25, 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, consider using another, non-Microsoft network protocol analyzer tool. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide).
To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
@ -28,11 +28,11 @@ When the driver gets hooked to the network interface card (NIC) during installat
**To capture traffic**
1. Run netmon in an elevated status by choosing Run as Administrator.
1. Run netmon in an elevated status by choosing **Run as Administrator**.
![Image of Start search results for Netmon.](images/nm-start.png)
2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**.
2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then select **Start**.
![Image of the New Capture option on menu.](images/tcp-ts-4.png)
@ -67,4 +67,4 @@ Network traces which are collected using the **netsh** commands built in to Wind
[Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)<br>
[Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)<br>
[Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)<br>
[How to setup and collect network capture using Network Monitor tool](/archive/blogs/msindiasupp/how-to-setup-and-collect-network-capture-using-network-monitor-tool)<br>
[How to setup and collect network capture using Network Monitor tool](/archive/blogs/msindiasupp/how-to-setup-and-collect-network-capture-using-network-monitor-tool)<br>

20
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -7,7 +7,7 @@ ms.topic: troubleshooting
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
ms.date: 12/06/2018
ms.date: 02/07/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -22,9 +22,9 @@ There are two types of ports:
- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection.
- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers.
Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443.
When connecting to an application or service, client devices use an ephemeral port from the device to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to `https://www.microsoft.com` on port 443.
In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*.
In a scenario where the same browser is creating a lot of connections to multiple websites, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports on a machine are used, we term it as *port exhaustion*.
## Default dynamic port range for TCP/IP
@ -95,16 +95,16 @@ If you suspect that the machine is in a state of port exhaustion:
![Screenshot of netstate command output.](images/tcp-ts-20.png)
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used by the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
You might also see CLOSE_WAIT state connections in the same output; however, CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
>[!Note]
>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
> [!Note]
> Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
>
>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
> Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
>
>Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
> Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
4. Open a command prompt in admin mode and run the below command
@ -164,7 +164,7 @@ Steps to use Process explorer:
Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles.
As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
As a workaround, rebooting the computer will get it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
```console
netsh int ipv4 set dynamicport tcp start=10000 num=1000

8
windows/client-management/windows-version-search.md
View File

@ -1,7 +1,7 @@
---
title: What version of Windows am I running?
description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or Semi-Annual Channel.
keywords: Long-Term Servicing Channel, LTSC, LTSB, Semi-Annual Channel, SAC, Windows, version, OS Build
description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -15,7 +15,7 @@ ms.topic: troubleshooting
# What version of Windows am I running?
To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so its useful to learn about all of them.
To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so its useful to learn about all of them.
## System Properties
Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
@ -48,4 +48,4 @@ At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesnt contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Its important to remember that the LTSC model is primarily for specialized devices.
In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.

40
windows/configuration/manage-wifi-sense-in-enterprise.md
View File

@ -19,26 +19,28 @@ ms.topic: article
**Applies to**
- Windows 10 version 1709 and older
- Windows 10 version 1709 and older
>[!IMPORTANT]
>Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
> [!IMPORTANT]
> Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When youre in range of one of these Wi-Fi hotspots, you automatically get connected to it.
Wi-Fi Sense learns about open Wi-Fi hotspots your Windows device by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When youre in range of one of these Wi-Fi hotspots, you automatically get connected to it.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your device with Windows 10.
**Note**<br>Wi-Fi Sense isnt available in all countries or regions.
> [!NOTE]
> >Wi-Fi Sense isnt available in all countries or regions.
## How does Wi-Fi Sense work?
Wi-Fi Sense connects your employees to open Wi-Fi networks. Typically, these are the open (no password required) Wi-Fi hotspots you see when youre out and about.
## How to manage Wi-Fi Sense in your company
In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
In a company environment, you will most likely deploy Windows 10 to your employees' devices using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
**Important**<br>Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots.
> [!IMPORTANT]
> Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots.
### Using Group Policy (available starting with Windows 10, version 1511)
### Using Group Policy (available starting with Windows 10, version 1511)
You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
**To set up Wi-Fi Sense using Group Policy**
@ -57,7 +59,8 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry
1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\`
2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
<p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see <a href="/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service" data-raw-source="[How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)">How to configure Wi-Fi Sense on Windows 10 in an enterprise</a>.
Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service).
![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png)
@ -67,7 +70,8 @@ You can manage your Wi-Fi Sense settings by changing the Windows provisioning se
**To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, <a href="/windows/configuration/wcd/wcd-connectivityprofiles#wifisense" data-raw-source="[WiFiSenseAllowed](./wcd/wcd-connectivityprofiles.md#wifisense)">WiFiSenseAllowed</a>.
Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](./wcd/wcd-connectivityprofiles.md#wifisense).
### Using Unattended Windows Setup settings
If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
@ -75,24 +79,24 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
**To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, <a href="/previous-versions//mt186511(v=vs.85)" data-raw-source="[WiFiSenseAllowed](/previous-versions//mt186511(v=vs.85))">WiFiSenseAllowed</a>.
Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings</strong> screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](/previous-versions//mt186511(v=vs.85)).
### How employees can change their own Wi-Fi Sense settings
If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png)
**Important**<br>The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
> [!IMPORTANT]
> The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
The **Connect to networks shared by my contacts** setting will still appear in **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings** on your PC and in **Settings &gt; Network & wireless &gt; WiFi &gt; WiFi Sense** on your phone. However, this setting will have no effect now. Regardless of what its set to, networks wont be shared with your contacts. Your contacts wont be connected to networks youve shared with them, and you wont be connected to networks theyve shared with you.
The **Connect to networks shared by my contacts** setting will still appear in **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings** on your device. However, this setting will have no effect now. Regardless of what its set to, networks wont be shared with your contacts. Your contacts wont be connected to networks youve shared with them, and you wont be connected to networks theyve shared with you.
Even if you selected **Automatically connect to networks shared by your contacts** when you first set up your Windows 10 device, you still wont be connected to networks your contacts have shared with you.
If you select the **Share network with my contacts** check box the first time you connect to a new network, the network wont be shared.
## Related topics
- [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911)
- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)

232
windows/configuration/provisioning-packages/provisioning-multivariant.md
View File

@ -121,30 +121,30 @@ Follow these steps to create a provisioning package with multivariant capabiliti
The following example shows the contents of a sample customizations.xml file.
```XML
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Common>
<Policies>
<AllowBrowser>0</AllowBrowser>
<AllowCamera>0</AllowCamera>
<AllowBluetooth>0</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>0</Enabled>
</HotSpot>
</Common>
</Customizations>
</Settings>
</WindowsCustomizatons>
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizations>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Common>
<Policies>
<AllowBrowser>0</AllowBrowser>
<AllowCamera>0</AllowCamera>
<AllowBluetooth>0</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>0</Enabled>
</HotSpot>
</Common>
</Customizations>
</Settings>
</WindowsCustomizations>
```
5. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings.
@ -152,48 +152,48 @@ Follow these steps to create a provisioning package with multivariant capabiliti
The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**.
```XML
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Common>
<Policies>
<AllowBrowser>0</AllowBrowser>
<AllowCamera>0</AllowCamera>
<AllowBluetooth>0</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>0</Enabled>
</HotSpot>
</Common>
<Targets>
<Target Id="Unique target identifier for desktop">
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" />
</TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Barton" />
<Condition Name="ProcessorType" Value="Athlon MP" />
</TargetState>
</Target>
<Target Id="Mobile target">
<TargetState>
<Condition Name="MCC" Value="Range:310, 320" />
<Condition Name="MNC" Value="!Range:400, 550" />
</TargetState>
</Target>
</Targets>
</Customizations>
</Settings>
</WindowsCustomizatons>
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizations>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Common>
<Policies>
<AllowBrowser>0</AllowBrowser>
<AllowCamera>0</AllowCamera>
<AllowBluetooth>0</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>0</Enabled>
</HotSpot>
</Common>
<Targets>
<Target Id="Unique target identifier for desktop">
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" />
</TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Barton" />
<Condition Name="ProcessorType" Value="Athlon MP" />
</TargetState>
</Target>
<Target Id="Mobile target">
<TargetState>
<Condition Name="MCC" Value="Range:310, 320" />
<Condition Name="MNC" Value="!Range:400, 550" />
</TargetState>
</Target>
</Targets>
</Customizations>
</Settings>
</WindowsCustomizations>
```
6. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this:
@ -212,56 +212,56 @@ Follow these steps to create a provisioning package with multivariant capabiliti
The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met.
```XML
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Common>
</Common>
<Targets>
<Target Id="Unique target identifier for desktop">
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" />
</TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Barton" />
<Condition Name="ProcessorType" Value="Athlon MP" />
</TargetState>
</Target>
<Target Id="Mobile target">
<TargetState>
<Condition Name="MCC" Value="Range:310, 320" />
<Condition Name="MNC" Value="!Range:400, 550" />
</TargetState>
</Target>
</Targets>
<Variant>
<TargetRefs>
<TargetRef Id="Unique target identifier for desktop" />
<TargetRef Id="Mobile target" />
</TargetRefs>
<Settings>
<Policies>
<AllowBrowser>1</AllowBrowser>
<AllowCamera>1</AllowCamera>
<AllowBluetooth>1</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Variant>
</Customizations>
</Settings>
</WindowsCustomizatons>
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizations>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Common>
</Common>
<Targets>
<Target Id="Unique target identifier for desktop">
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*(I|i)ntel.*" />
</TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Barton" />
<Condition Name="ProcessorType" Value="Athlon MP" />
</TargetState>
</Target>
<Target Id="Mobile target">
<TargetState>
<Condition Name="MCC" Value="Range:310, 320" />
<Condition Name="MNC" Value="!Range:400, 550" />
</TargetState>
</Target>
</Targets>
<Variant>
<TargetRefs>
<TargetRef Id="Unique target identifier for desktop" />
<TargetRef Id="Mobile target" />
</TargetRefs>
<Settings>
<Policies>
<AllowBrowser>1</AllowBrowser>
<AllowCamera>1</AllowCamera>
<AllowBluetooth>1</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Variant>
</Customizations>
</Settings>
</WindowsCustomizations>
```
7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.

2
windows/deployment/TOC.yml
View File

@ -167,6 +167,8 @@
href: update/waas-manage-updates-wufb.md
- name: Configure Windows Update for Business
href: update/waas-configure-wufb.md
- name: Use Windows Update for Business and WSUS
href: update/wufb-wsus.md
- name: Windows Update for Business deployment service
href: update/deployment-service-overview.md
items:

5
windows/deployment/deploy-enterprise-licenses.md
View File

@ -255,3 +255,8 @@ At a command prompt, type: **winver**
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
### Delay in the activation of Enterprise License of Windows 10
This is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device is not eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.

4
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -164,7 +164,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
For example, you can use the following configuration.xml file, which provides these configuration settings:
- Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
- Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet.
- Use the General Availability Channel and get updates directly from the Office CDN on the internet.
- Perform a silent installation. You wont see anything that shows the progress of the installation and you wont see any error messages.
```xml
@ -179,7 +179,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
</Configuration>
```
By using these settings, any time you build the reference image youll be installing the most up-to-date Semi-Annual Channel version of Microsoft 365 Apps for enterprise.
By using these settings, any time you build the reference image youll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
>[!TIP]
>You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.

1
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -257,6 +257,5 @@ When you have completed all the steps in this section to prepare for deployment,
**Sample files**
The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell.
- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.

5
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -38,9 +38,6 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM),
> [!NOTE]
> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For more information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
## Configure Active Directory for BitLocker
@ -170,4 +167,4 @@ In the following task sequence, we added five actions:
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br>
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br>
[Use web services in MDT](use-web-services-in-mdt.md)<br>
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)

2
windows/deployment/mbr-to-gpt.md
View File

@ -12,7 +12,7 @@ ms.author: greglin
ms.date: 02/13/2018
manager: dougeby
ms.audience: itpro
ms.localizationpriority: medium
ms.localizationpriority: high
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri

2
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -33,7 +33,7 @@ The features described below are no longer being actively developed, and might b
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you'll no longer have the option to upload new activity in Timeline. See [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |

4
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -149,5 +149,5 @@ sections:
Use the following resources for additional information about Windows 10.
- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home).

4
windows/deployment/s-mode.md
View File

@ -3,7 +3,7 @@ title: Windows 10 Pro in S mode
description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.localizationpriority: high
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
@ -58,4 +58,4 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)

2
windows/deployment/update/PSFxWhitepaper.md
View File

@ -1,7 +1,7 @@
---
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro

4
windows/deployment/update/WIP4Biz-intro.md
View File

@ -1,7 +1,7 @@
---
title: Introduction to the Windows Insider Program for Business
description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: manage
@ -37,7 +37,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled
The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the General Availability Channel Targeted ring for Pilot deployment, and the General Availability Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments.
## Explore new Windows 10 features in Insider Previews

2
windows/deployment/update/eval-infra-tools.md
View File

@ -2,7 +2,7 @@
title: Evaluate infrastructure and tools
manager: laurawi
description: Steps to make sure your infrastructure is ready to deploy updates
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro

2
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -1,7 +1,7 @@
---
title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo

BIN
windows/deployment/update/images/waas-mcc-diag-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

Some files were not shown because too many files have changed in this diff Show More