deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Move client-tools

Browse Source
This commit is contained in:
Vinay Pamnani
2023-04-05 10:30:44 -04:00
parent a44ba87186
commit 4684b2222d
14 changed files with 28 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
windows/client-management/client-tools/administrative-tools-in-windows-10.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Windows Tools/Administrative Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.localizationpriority: medium
ms.date: 03/28/2022
ms.topic: article
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Windows Tools/Administrative Tools
**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
## Windows Tools folder (Windows 11)
The following graphic shows the **Windows Tools** folder in Windows 11:
:::image type="content" source="images/win11-control-panel-windows-tools.png" alt-text="Screenshot of the Control Panel in Windows 11, highlighting the Administrative Tools folder." lightbox="images/win11-control-panel-windows-tools.png":::
The tools in the folder might vary depending on which edition of Windows you use.
:::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png":::
## Administrative Tools folder (Windows 10)
The following graphic shows the **Administrative Tools** folder in Windows 10:
![Screenshot of the Control Panel in Windows 10, highlighting the Administrative Tools folder.](images/admin-tools.png)
The tools in the folder might vary depending on which edition of Windows you use.
![Screenshot of the contents of the Administrative Tools folder in Windows 10.](images/admin-tools-folder.png)
## Tools
The tools are located in the folder `C:\Windows\System32\` or its subfolders.
These tools were included in previous versions of Windows. The associated documentation for each tool can help you use them. The following list provides links to documentation for each tool.
- [Component Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731901(v=ws.11))
- [Computer Management](https://support.microsoft.com/topic/how-to-use-computer-management-in-windows-xp-d5872f93-4498-f4dd-3a34-36d6f569924f)
- [Defragment and Optimize Drives](https://support.microsoft.com/windows/ways-to-improve-your-computer-s-performance-c6018c78-0edd-a71a-7040-02267d68ea90)
- [Disk Cleanup](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68)
- [Event Viewer](/previous-versions/windows/it-pro/windows-2000-server/cc938674(v=technet.10))
- [iSCSI Initiator](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10))
- [Local Security Policy](/previous-versions/tn-archive/dd277395(v=technet.10))
- [ODBC Data Sources](/sql/odbc/admin/odbc-data-source-administrator)
- [Performance Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749115(v=ws.11))
- [Print Management](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731857(v=ws.11))
- [Recovery Drive](https://support.microsoft.com/windows/create-a-recovery-drive-abb4691b-5324-6d4a-8766-73fab304c246)
- [Registry Editor](/windows/win32/sysinfo/registry)
- [Resource Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883276(v=ws.10))
- [Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772408(v=ws.11))
- [System Configuration](/troubleshoot/windows-client/performance/system-configuration-utility-troubleshoot-configuration-errors)
- [System Information](/previous-versions/windows/it-pro/windows-2000-server/cc957818(v=technet.10))
- [Task Scheduler](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766428(v=ws.11))
- [Windows Firewall with Advanced Security](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11))
- [Windows Memory Diagnostic](/previous-versions/technet-magazine/cc745953(v=msdn.10))
> [!TIP]
> If the linked content in this list doesn't provide the information you need to use that tool, send feedback with the **This page** link in the **Feedback** section at the bottom of this article.
## Related topics
[Diagnostic data viewer](/windows/privacy/diagnostic-data-viewer-overview)

60
windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Windows 10 default media removal policy
description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/25/2020
ms.topic: article
ms.custom:
- CI 111493
- CI 125140
- CSSTroubleshooting
ms.localizationpriority: medium
manager: kaushika
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Change in default removal policy for external storage media in Windows 10, version 1809
Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**.
In earlier versions of Windows, the default policy was **Better performance**.
You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port.
## More information
You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
> [!IMPORTANT]
> If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data.
> [!NOTE]
> If you select **Better performance**, we recommend that you also select **Enable write caching on the device**.
To change the policy for an external storage device:
1. Connect the device to the computer.
1. Right-click **Start**, then select **File Explorer**.
1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**).
1. Right-click **Start**, then select **Disk Management**.
1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**.
![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png)
1. Select **Policies**.
> [!NOTE]
> Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.
>
> If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available.
1. Select the policy that you want to use.
![Policy options for disk management.](./images/change-def-rem-policy-2.png)

124
windows/client-management/client-tools/connect-to-remote-aadj-pc.md Normal file
View File

@ -0,0 +1,124 @@
---
title: Connect to remote Azure Active Directory joined device (Windows)
description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.author: vinpa
ms.date: 01/18/2022
manager: aaroncz
ms.topic: article
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
---
# Connect to remote Azure Active Directory joined device
From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP.
- Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
- Starting in Windows 10/11, with 2022-09 preview update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication).
## Prerequisites
- Both devices (local and remote) must be running a supported version of Windows.
- Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**.
- It's recommended to select **Require devices to use Network Level Authentication to connect** option.
- If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device.
## Connect with Azure AD Authentication
Azure AD Authentication can be used on the following operating systems:
- Windows 11 with [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed.
- Windows 10, version 20H2 or later with [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed.
- Windows Server 2022 with [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed.
There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from:
- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device.
- Active Directory joined device.
- Workgroup device.
To connect to the remote computer:
- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
- Specify the name of the remote computer.
- Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files).
- When prompted for credentials, specify your user name in `user@domain.com` format.
- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.
> [!IMPORTANT]
> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer.
### Disconnection when the session is locked
The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.
Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies.
## Connect without Azure AD Authentication
By default, RDP doesn't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from:
- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later.
- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later.
> [!NOTE]
> Both the local and remote device must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop.
To connect to the remote computer:
- Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`.
- Specify the name of the remote computer.
- When prompted for credentials, specify your user name in either `user@domain.com` or `AzureAD\user@domain.com` format.
> [!TIP]
> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is AAD joined. If you are signing in to your work account, try using your work email address**.
> [!NOTE]
> For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
### Supported configurations
This table lists the supported configurations for remotely connecting to an Azure AD joined device:
| **Criteria** | **Client operating system** | **Supported credentials** |
|--------------------------------------------|-----------------------------------|--------------------------------------------------------------------|
| RDP from **Azure AD registered device** | Windows 10, version 2004 or later | Password, smart card |
| RDP from **Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
| RDP from **hybrid Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust |
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
> [!NOTE]
> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through RDP resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection.
## Add users to Remote Desktop Users group
Remote Desktop Users group is used to grant users and groups permissions to remotely connect to the device. Users can be added either manually or through MDM policies:
- **Adding users manually**:
You can specify individual Azure AD accounts for remote connections by running the following command, where `<userUPN>` is the UPN of the user, for example `user@domain.com`:
```cmd
net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"
```
In order to execute this command, you must be a member of the local Administrators group. Otherwise, you may see an error similar to `There is no such global user or group: <name>`.
- **Adding users using policy**:
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
## Related articles
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)

34
windows/client-management/client-tools/group-policies-for-enterprise-and-education-editions.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/14/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: troubleshooting
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). |
| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |

673
windows/client-management/client-tools/manage-device-installation-with-group-policy.md Normal file
View File

@ -0,0 +1,673 @@
---
title: Manage Device Installation with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage Device Installation Restrictions with Group Policy.
ms.prod: windows-client
author: vinaypamnani-msft
ms.date: 09/14/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
---
# Manage Device Installation with Group Policy
## Summary
By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
## Introduction
### General
This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
- Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it.
This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices.
The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide won't exactly match the user interface that appears on the computer.
It's important to understand that the Group Policies that are presented in this guide are only applied to machines/machine-groups, not to users/user-groups.
> [!IMPORTANT]
> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide isn't meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
### Who Should Use This Guide?
This guide is targeted at the following audiences:
- Information technology planners and analysts who are evaluating Windows 10, Windows 11 or Windows Server 2022
- Enterprise information technology planners and designers
- Security architects who are responsible for implementing trustworthy computing in their organization
- Administrators who want to become familiar with the technology
### Benefits of Controlling Device Installation Using Group Policy
Restricting the devices that users can install reduces the risk of data theft and reduces the cost of support.
#### Reduce the risk of data theft
It's more difficult for users to make unauthorized copies of company data if users' computers can't install unapproved devices that support removable media. For example, if users can't install a USB thumb-drive device, they can't download copies of company data onto a removable storage. This benefit can't eliminate data theft, but it creates another barrier to unauthorized removal of data.
#### Reduce support costs
You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion.
## Scenario Overview
The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
Group Policy guides:
- [Create a Group Policy Object (Windows 10) - Windows Security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
- [Advanced Group Policy Management - Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/agpm)
### Scenario #1: Prevent installation of all printers
In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy.
### Scenario #2: Prevent installation of a specific printer
In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one.
### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies.
### Scenario #4: Prevent installation of a specific USB device
This scenario, although similar to scenario #2, brings another layer of complexity - how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
## Technology Review
The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios.
### Device Installation in Windows
A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages.
Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows to specify which of these identifiers to allow or block.
The four types of identifiers are:
- Device Instance ID
- Device ID
- Device setup classes
- 'Removable Devices' device type
#### Device Instance ID
A device instance ID is a system-supplied device identification string that uniquely identifies a device in the system. The Plug and Play (PnP) manager assigns a device instance ID to each device node (devnode) in a system's device tree.
#### Device ID
Windows can use each string to match a device to a driver package. The strings range from the specific, matching a single make and model of a device, to the general, possibly applying to an entire class of devices. There are two types of device identification strings: hardware IDs and compatible IDs.
##### Hardware IDs
Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision isn't available.
##### Compatible IDs
Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device).
> [!NOTE]
> For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see [Device identification strings](/windows-hardware/drivers/install/device-identification-strings).
#### Device setup classes
Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached.
When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device's device setup classes, or you might not achieve the results you want. The installation might fail (if you want it to succeed) or it might succeed (if you want it to fail).
For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions.
For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes).
This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
#### 'Removable Device' Device type
Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
### Group Policy Settings for Device Installation
Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see [Group Policy Object Editor](/previous-versions/windows/desktop/Policy/group-policy-object-editor).
The following passages are brief descriptions of the Device Installation policies that are used in this guide.
> [!NOTE]
> Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
#### Allow administrators to override Device Installation Restriction policies
This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or don't configure this policy setting, administrators are subject to all policy settings that restrict device installation.
#### Allow installation of devices that match any of these device IDs
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
#### Allow installation of devices that match any of these device instance IDs
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
#### Allow installation of devices using drivers that match these device setup classes
This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
#### Prevent installation of devices that match these device IDs
This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users can't install. If you enable this policy setting, users can't install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or don't configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device.
#### Prevent installation of devices that match any of these device instance IDs
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
#### Prevent installation of devices using drivers that match these device setup classes
This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users can't install. If you enable this policy setting, users can't install or update devices that belong to any of the listed device setup classes. If you disable or don't configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device.
### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
> **Device instance IDs** > **Device IDs** > **Device setup class** > **Removable devices**
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
>
> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
![Device Installation policies flow chart.](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
## Requirements for completing the scenarios
### General
To complete each of the scenarios, ensure you have:
- A client computer running Windows.
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
- A USB/network printer pre-installed on the machine.
- Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
### Understanding implications of applying 'Prevent' policies retroactive
All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones.
This option is a powerful tool, but as such it has to be used carefully.
> [!IMPORTANT]
> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
## Determine device identification strings
By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device don't match those IDs shown in this guide, use the IDs that are appropriate to your device (this policy applies to Instance IDs and Classes, but we aren't going to give an example for them in this guide).
You can determine the hardware IDs and compatible IDs for your device in two ways. You can use Device Manager, a graphical tool included with the operating system, or PnPUtil, a command-line tool available for all Windows versions. Use the following procedure to view the device identification strings for your device.
> [!NOTE]
> These procedures are specific to a Canon printer. If you are using a different type of device, you must adjust the steps accordingly. The significant difference will be the location of the device in the Device Manager hierarchy. Instead of being located in the Printers node, you must locate your device in the appropriate node.
To find device identification strings using Device Manager
1. Make sure your printer is plugged in and installed.
1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
1. Find the "Printers" section and find the target printer
![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
1. Double-click the printer and move to the 'Details' tab.
!['Details' tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the 'Details' tab to look for the device identifiers_
1. From the 'Value' window, copy the most detailed Hardware ID - we'll use this value in the policies.
![HWID.](images/device-installation-dm-printer-hardware-ids.png)
![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
> [!TIP]
> You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil).
### Getting device identifiers using PnPUtil
```console
pnputil /enum-devices /ids
```
Here's an example of an output for a single device on a machine:
```console
<snip>
Instance ID: PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086&REV_02\3&103a9d54&0&81
Device Description: Intel(R) Xeon(R) E7 v3/Xeon(R) E5 v3/Core i7 PCIe Ring Interface - 2F34
Class Name: System
Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer Name: INTEL
Status: Stopped
Driver Name: oem6.inf
Hardware IDs: PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086&REV_02
PCI\VEN_8086&DEV_2F34&SUBSYS_2F348086
PCI\VEN_8086&DEV_2F34&CC_110100
PCI\VEN_8086&DEV_2F34&CC_1101
Compatible IDs: PCI\VEN_8086&DEV_2F34&REV_02
PCI\VEN_8086&DEV_2F34
PCI\VEN_8086&CC_110100
PCI\VEN_8086&CC_1101
PCI\VEN_8086
PCI\CC_110100
PCI\CC_1101
<snip>
```
## Scenario #1: Prevent installation of all printers
In this simple scenario, you'll learn how to prevent the installation of an entire Class of devices.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications.
1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters
1. Have a USB/network printer available to test the policy with
### Scenario steps - preventing installation of prohibited devices
Getting the right device identifier to prevent it from being installed:
1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID).
1. If you don't have such device installed on your system or know the name of the class, you can check the following two links:
- [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
- [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market:
> Printers\
> Class = Printer\
> ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\
> This class includes printers.
> [!NOTE]
> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they're not blocking any other existing device that is crucial to your system.
Creating the policy to prevent all printers from being installed:
1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled).
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
1. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
1. Click 'OK'.
1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
1. Optional - if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
> [!IMPORTANT]
> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
### Testing the scenario
1. If you haven't completed step #9 - follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
1. You shouldn't be able to reinstall the printer.
1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
## Scenario #2: Prevent installation of a specific printer
This scenario builds upon scenario #1, Prevent installation of all printers. In this scenario, you target a specific printer to prevent from being installed on the machine.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed:
1. Get your printer's Hardware ID - in this example we'll use the identifier we found previously
![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
1. Write down the device ID (in this case Hardware ID) - WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
Creating the policy to prevent a single printer from being installed:
1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block.
1. Enter the printer device ID you found above - WSDPRINT\CanonMX920_seriesC1A0
![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
1. Click 'OK'.
1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install.
1. Optional - if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'.
### Testing the scenario
If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
If you haven't completed step #8, follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
1. For USB printer - unplug and plug back the cable; for network device - make a search for the printer in the Windows Settings app.
1. You shouldn't be able to reinstall the printer.
## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
Now, using the knowledge from both previous scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'.
1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
1. Have a USB/network printer available to test the policy with.
### Scenario steps - preventing installation of an entire class while allowing a specific printer
Getting the device identifier for both the Printer Class and a specific printer - following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
- ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
- Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
1. Make sure all policies are disabled
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
1. Click 'OK'.
1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
1. To complete the coverage of all future and existing printers - Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'
1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it - this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
1. Click 'OK'.
1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and allows the target printer to be installed (or stayed installed).
## Testing the scenario
1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer - you shouldn't be bale to print anything or able to access the printer at all.
## Scenario #4: Prevent installation of a specific USB device
The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you'll gain an understanding of how some devices are built into the PnP (Plug and Play) device tree.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section
1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario) - although the policy is disabled in default, it's recommended to be enabled in most practical applications.
### Scenario steps - preventing installation of a specific device
Getting the right device identifier to prevent it from being installed and its location in the PnP tree:
1. Connect a USB thumb drive to the machine
1. Open Device Manager
1. Find the USB thumb-drive and select it.
![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree.
![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
> [!NOTE]
> When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked.
![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
1. Double-click the USB thumb-drive and move to the 'Details' tab.
1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
Creating the policy to prevent a single USB thumb-drive from being installed:
1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block.
1. Enter the USB thumb-drive device ID you found above - USBSTOR\DiskGeneric_Flash_Disk______8.07
![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
1. Click 'OK'.
1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install.
1. Optional - if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'
### Testing the scenario
1. If you haven't completed step #8 - follow these steps:
- Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device".
- You shouldn't be able to reinstall the device.
1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
Now, using the knowledge from all the previous four scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed.
### Setting up the environment
Setting up the environment for the scenario with the following steps:
1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'.
1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters.
1. Have a USB thumb-drive available to test the policy with.
### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive
Getting the device identifier for both the USB Classes and a specific USB thumb-drive - following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario:
- USB Bus Devices (hubs and host controllers)
- Class = USB
- ClassGuid = {36fc9e60-c465-11cf-8056-444553540000}
- This class includes USB host controllers and USB hubs, but not USB peripherals. Drivers for this class are system-supplied.
- USB Device
- Class = USBDevice
- ClassGuid = {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
- USBDevice includes all USB devices that don't belong to another class. This class isn't used for USB host controllers and hubs.
- Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03
- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30
- "Generic USB Hub" -> USB\USB20_HUB
![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
> [!IMPORTANT]
> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list:
>
> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
> USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
> USB\USB20_HUB (for Generic USB Hubs)/
>
> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.
>
> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Open Group Policy Object Editor - either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
1. Navigate to the Device Installation Restriction page:
> Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
1. Make sure all policies are disabled
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
1. Enter both USB classes GUID you found above with the curly braces:
> {36fc9e60-c465-11cf-8056-444553540000}/
> {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
1. Click 'OK'.
1. Click 'Apply' on the bottom right of the policy's window - this option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs.
> [!IMPORTANT]
> The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it - this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button.
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation - USBSTOR\DiskGeneric_Flash_Disk______8.07
![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
1. Click 'OK'.
1. Click 'Apply' on the bottom right of the policy's window.
1. To apply the 'Prevent' coverage of all currently installed USB devices - Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'.
### Testing the scenario
You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage

48
windows/client-management/client-tools/manage-settings-app-with-group-policy.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Manage the Settings app with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: windows-client
author: vinaypamnani-msft
ms.date: 09/14/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Manage the Settings app with Group Policy
You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
>[!NOTE]
>Each server that you want to manage access to the Settings App must be patched.
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app.
Policy paths:
**Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
![Settings page visibility policy.](images/settings-page-visibility-gp.png)
## Configuring the Group Policy
The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
>[!NOTE]
> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
Here are some examples:
- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**.
- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.

154
windows/client-management/client-tools/mandatory-user-profile.md Normal file
View File

@ -0,0 +1,154 @@
---
title: Create mandatory user profiles (Windows 10 and Windows 11)
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/14/2021
ms.reviewer:
manager: aaroncz
ms.topic: article
ms.collection:
- highpri
- tier2
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Create mandatory user profiles
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
## Profile extension for each Windows version
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
| Client operating system version | Server operating system version | Profile extension |
| --- | --- | --- |
| Windows XP | Windows Server 2003 </br>Windows Server 2003 R2 | none |
| Windows Vista</br>Windows 7 | Windows Server 2008 </br>Windows Server 2008 R2 | v2 |
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning).
## Mandatory user profile
First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory.
### How to create a default user profile
1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
> [!NOTE]
> Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
> [!NOTE]
> Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10).
> [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
1. At a command prompt, type the following command and press **ENTER**.
```console
sysprep /oobe /reboot /generalize /unattend:unattend.xml
```
(Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
>
> ![Microsoft Bing Translator package error.](images/sysprep-error.png)
>
> Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the setup, and then sign in to the computer using an account that has local administrator privileges.
1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
![Example of User Profiles UI.](images/copy-to.png)
1. In **Copy To**, under **Permitted to use**, click **Change**.
![Example of Copy To UI.](images/copy-to-change.png)
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
![Example of Copy profile to.](images/copy-to-path.png)
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
![Example of Copy To UI with UNC path.](images/copy-to-path.png)
1. Click **OK** to copy the default user profile.
### How to make the user profile mandatory
1. In File Explorer, open the folder where you stored the copy of the profile.
> [!NOTE]
> If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes.
1. Rename `Ntuser.dat` to `Ntuser.man`.
## Apply a mandatory user profile to users
In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server.
### How to apply a mandatory user profile to users
1. Open **Active Directory Users and Computers** (dsa.msc).
1. Navigate to the user account that you will assign the mandatory profile to.
1. Right-click the user name and open **Properties**.
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile.
1. Click **OK**.
It may take some time for this change to replicate to all domain controllers.
## Apply policies to improve sign-in time
When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
| --- | --- | --- | --- | --- |
| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
> [!NOTE]
> The Group Policy settings above can be applied in Windows 10 Professional edition.
## Related topics
- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)

509
windows/client-management/client-tools/new-policies-for-windows-10.md Normal file
View File

@ -0,0 +1,509 @@
---
title: New policies for Windows 10 (Windows 10)
description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/15/2021
ms.topic: reference
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# New policies for Windows 10
As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004.
The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451).
## New Group Policy settings in Windows 10, version 1903
The following Group Policy settings were added in Windows 10, version 1903:
**System**
- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options
- System\Storage Sense\Allow Storage Sense
- System\Storage Sense\Allow Storage Sense Temporary Files cleanup
- System\Storage Sense\Configure Storage Sense
- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold
- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold
- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
**Windows Components**
- Windows Components\App Privacy\Let Windows apps activate with voice
- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked
- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline
- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics
- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics
- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds)
- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds)
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
## New Group Policy settings in Windows 10, version 1809
The following Group Policy settings were added in Windows 10, version 1809:
**Start Menu and Taskbar**
- Start Menu and Taskbar\Force Start to be either full screen size or menu size
- Start Menu and Taskbar\Remove "Recently added" list from Start Menu
- Start Menu and Taskbar\Remove All Programs list from the Start menu
- Start Menu and Taskbar\Remove frequent programs list from the Start Menu
**System**
- System\Group Policy\Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services
- System\Group Policy\Configure Applications preference extension policy processing
- System\Group Policy\Configure Data Sources preference extension policy processing
- System\Group Policy\Configure Devices preference extension policy processing
- System\Group Policy\Configure Drive Maps preference extension policy processing
- System\Group Policy\Configure Environment preference extension policy processing
- System\Group Policy\Configure Files preference extension policy processing
- System\Group Policy\Configure Folder Options preference extension policy processing
- System\Group Policy\Configure Folders preference extension policy processing
- System\Group Policy\Configure Ini Files preference extension policy processing
- System\Group Policy\Configure Internet Settings preference extension policy processing
- System\Group Policy\Configure Local Users and Groups preference extension policy processing
- System\Group Policy\Configure Network Options preference extension policy processing
- System\Group Policy\Configure Network Shares preference extension policy processing
- System\Group Policy\Configure Power Options preference extension policy processing
- System\Group Policy\Configure Printers preference extension policy processing
- System\Group Policy\Configure Regional Options preference extension policy processing
- System\Group Policy\Configure Registry preference extension policy processing
- System\Group Policy\Configure Scheduled Tasks preference extension policy processing
- System\Group Policy\Configure Services preference extension policy processing
- System\Group Policy\Configure Shortcuts preference extension policy processing
- System\Group Policy\Configure Start Menu preference extension policy processing
- System\Group Policy\Logging and tracing\Configure Applications preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Data Sources preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Devices preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Drive Maps preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Environment preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Files preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Folder Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Folders preference logging and tracing
- System\Group Policy\Logging and tracing\Configure INI Files preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Internet Settings preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Local Users and Groups preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Network Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Network Shares preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Power Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Printers preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Regional Options preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Registry preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Scheduled Tasks preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Services preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Shortcuts preference logging and tracing
- System\Group Policy\Logging and tracing\Configure Start Menu preference logging and tracing
- System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
- System\OS Policies\Allow Clipboard History
- System\OS Policies\Allow Clipboard synchronization across devices
**Windows Components**
- Windows Components\Data Collection and Preview Builds\Configure Microsoft 365 Update Readiness upload endpoint
- Windows Components\Data Collection and Preview Builds\Disable deleting diagnostic data
- Windows Components\Data Collection and Preview Builds\Disable diagnostic data viewer
- Windows Components\Delivery Optimization\[Reserved for future use] Cache Server Hostname
- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\DFS Management
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\File Server Resource Manager
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Share and Storage Management
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Storage Manager for SANs
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\DFS Management Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Disk Management Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\File Server Resource Manager Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Share and Storage Management Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Storage Manager for SANS Extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Management Editor
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Starter GPO Editor
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Application snap-ins
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Applications preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Computers)
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Users)
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Data Sources preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Devices preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Drive Maps preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Environment preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Files preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folder Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folders preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Ini Files preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Internet Settings preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Local Users and Groups preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Shares preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Power Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Preferences tab
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Printers preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Regional Options preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Registry preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Scheduled Tasks preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Services preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Shortcuts preference extension
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Start Menu preference extension
- Windows Components\OOBE\Don't launch privacy settings experience on user logon
- Windows Components\OOBE\Don't launch privacy settings experience on user logon
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Do not use Remote Desktop Session Host server IP address when virtual IP address is not available
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Select the network adapter to be used for Remote Desktop IP Virtualization
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn off Windows Installer RDS Compatibility
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn on Remote Desktop IP Virtualization
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow remote start of unlisted programs
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Turn off Fair Share CPU Scheduling
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Use RD Connection Broker load balancing
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Allow desktop composition for remote desktop sessions
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Always show desktop on connection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Do not allow font smoothing
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove remote desktop wallpaper
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions
- Windows Components\Microsoft Defender Antivirus\Configure detection for potentially unwanted applications
- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans
- Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device
- Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard
- Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates
- Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes
- Windows Components\Windows Media Player\Prevent Automatic Updates
- Windows Components\Windows Media Player\Prevent CD and DVD Media Information Retrieval
- Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation
- Windows Components\Windows Media Player\Prevent Media Sharing
- Windows Components\Windows Media Player\Prevent Music File Media Information Retrieval
- Windows Components\Windows Media Player\Prevent Quick Launch Toolbar Shortcut Creation
- Windows Components\Windows Media Player\Prevent Radio Station Preset Retrieval
- Windows Components\Windows Media Player\Prevent Video Smoothing
- Windows Components\Windows Media Player\Networking\Configure HTTP Proxy
- Windows Components\Windows Media Player\Networking\Configure MMS Proxy
- Windows Components\Windows Media Player\Networking\Configure Network Buffering
- Windows Components\Windows Media Player\Networking\Configure RTSP Proxy
- Windows Components\Windows Media Player\Networking\Hide Network Tab
- Windows Components\Windows Media Player\Networking\Streaming Media Protocols
- Windows Components\Windows Media Player\Playback\Allow Screen Saver
- Windows Components\Windows Media Player\Playback\Prevent Codec Download
- Windows Components\Windows Media Player\User Interface\Do Not Show Anchor
- Windows Components\Windows Media Player\User Interface\Hide Privacy Tab
- Windows Components\Windows Media Player\User Interface\Hide Security Tab
- Windows Components\Windows Media Player\User Interface\Set and Lock Skin
- Windows Components\Windows Security\Account protection\Hide the Account protection area
- Windows Components\Windows Security\App and browser protection\Hide the App and browser protection area
- Windows Components\Windows Security\App and browser protection\Prevent users from modifying settings
- Windows Components\Windows Security\Device performance and health\Hide the Device performance and health area
- Windows Components\Windows Security\Device security\Disable the Clear TPM button
- Windows Components\Windows Security\Device security\Hide the Device security area
- Windows Components\Windows Security\Device security\Hide the Secure boot area
- Windows Components\Windows Security\Device security\Hide the Security processor (TPM) troubleshooter page
- Windows Components\Windows Security\Device security\Hide the TPM Firmware Update recommendation
- Windows Components\Windows Security\Enterprise Customization\Configure customized contact information
- Windows Components\Windows Security\Enterprise Customization\Configure customized notifications
- Windows Components\Windows Security\Enterprise Customization\Specify contact company name
- Windows Components\Windows Security\Enterprise Customization\Specify contact email address or Email ID
- Windows Components\Windows Security\Enterprise Customization\Specify contact phone number or Skype ID
- Windows Components\Windows Security\Enterprise Customization\Specify contact website
- Windows Components\Windows Security\Family options\Hide the Family options area
- Windows Components\Windows Security\Firewall and network protection\Hide the Firewall and network protection area
- Windows Components\Windows Security\Notifications\Hide all notifications
- Windows Components\Windows Security\Notifications\Hide non-critical notifications
- Windows Components\Windows Security\Systray\Hide Windows Security Systray
- Windows Components\Windows Security\Virus and threat protection\Hide the Ransomware data recovery area
- Windows Components\Windows Security\Virus and threat protection\Hide the Virus and threat protection area
- Windows Components\Windows Update\Display options for update notifications
- Windows Components\Windows Update\Remove access to "Pause updates" feature
**Control Panel**
- Control Panel\Settings Page Visibility
- Control Panel\Regional and Language Options\Allow users to enable online speech recognition services
**Network**
- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network
## New Group Policy settings in Windows 10, version 1803
The following Group Policy settings were added in Windows 10, version 1803:
**System**
- System\Credentials Delegation\Encryption Oracle Remediation
- System\Group Policy\Phone-PC linking on this device
- System\OS Policies\Allow upload of User Activities
**Windows Components**
- Windows Components\App Privacy\Let Windows apps access an eye tracker device
- Windows Components\Cloud Content\Turn off Windows Spotlight on Settings
- Windows Components\Data Collection and Preview Builds\Allow device name to be sent in Windows diagnostic data
- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface
- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications
- Windows Components\Delivery Optimization\Maximum Background Download Bandwidth (percentage)
- Windows Components\Delivery Optimization\Maximum Foreground Download Bandwidth (percentage)
- Windows Components\Delivery Optimization\Select the source of Group IDs
- Windows Components\Delivery Optimization\Delay background download from http (in secs)
- Windows Components\Delivery Optimization\Delay Foreground download from http (in secs)
- Windows Components\Delivery Optimization\Select a method to restrict Peer Selection
- Windows Components\Delivery Optimization\Set Business Hours to Limit Background Download Bandwidth
- Windows Components\Delivery Optimization\Set Business Hours to Limit Foreground Download Bandwidth
- Windows Components\IME\Turn on Live Sticker
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow video capture redirection
- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use hardware graphics adapters for all Remote Desktop Services sessions
- Windows Components\Search\Allow Cortana Page in OOBE on an Azure Active Directory account
- Windows Components\Store\Disable all apps from Microsoft Store
- Windows Components\Text Input\Allow Uninstallation of Language Features
- Windows Components\Text Input\Improve inking and typing recognition
- Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard
- Windows Components\Windows Defender Security Center\Account protection\Hide the Account protection area
- Windows Components\Windows Defender Security Center\Device security\Hide the Device security area
- Windows Components\Windows Defender Security Center\Device security\Hide the Security processor (TPM) troubleshooter page
- Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area
## New Group Policy settings in Windows 10, version 1709
The following Group Policy settings were added in Windows 10, version 1709:
**Control Panel**
- Control Panel\Allow Online Tips
**Network**
- Network\Network Connectivity Status Indicator\Specify global DNS
- Network\WWAN Service\WWAN UI Settings\Set Per-App Cellular Access UI Visibility
- Network\WWAN Service\Cellular Data Access\Let Windows apps access cellular data
**System**
- System\Device Health Attestation Service\Enable Device Health Attestation Monitoring and Reporting
- System\OS Policies\Enables Activity Feed
- System\OS Policies\Allow publishing of User Activities
- System\Power Management\Power Throttling Settings\Turn off Power Throttling
- System\Storage Health\Allow downloading updates to the Disk Failure Prediction Model
- System\Trusted Platform Module Services\Configure the system to clear the TPM if it is not in a ready state.
**Windows Components**
- Windows Components\App Privacy\Let Windows apps communicate with unpaired devices
- Windows Components\Data Collection and Preview Builds\Limit Enhanced diagnostic data to the minimum required by Windows Analytics
- Windows Components\Handwriting\Handwriting Panel Default Mode Docked
- Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing\Hide the button (next to the New Tab button) that opens Microsoft Edge
- Windows Components\MDM\Auto MDM Enrollment with Azure Active Directory Token
- Windows Components\Messaging\Allow Message Service Cloud Sync
- Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge
- Windows Components\Microsoft Edge\Provision Favorites
- Windows Components\Microsoft Edge\Prevent changes to Favorites on Microsoft Edge
- Windows Components\Microsoft FIDO Authentication\Enable usage of FIDO devices to sign on
- Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive
- Windows Components\Push To Install\Turn off Push To Install service
- Windows Components\Search\Allow Cloud Search
- Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard
- Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications
- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders
- Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings
- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Virus and threat protection area
- Windows Components\Windows Defender Security Center\Firewall and network protection\Hide the Firewall and network protection area
- Windows Components\Windows Defender Security Center\App and browser protection\Hide the App and browser protection area
- Windows Components\Windows Defender Security Center\App and browser protection\Prevent users from modifying settings
- Windows Components\Windows Defender Security Center\Device performance and health\Hide the Device performance and health area
- Windows Components\Windows Defender Security Center\Family options\Hide the Family options area
- Windows Components\Windows Defender Security Center\Notifications\Hide all notifications
- Windows Components\Windows Defender Security Center\Notifications\Hide non-critical notifications
- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized notifications
- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized contact information
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact company name
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact phone number or Skype ID
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact email address or Email ID
- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact website
- Windows Components\Windows Hello for Business\Configure device unlock factors
- Windows Components\Windows Hello for Business\Configure dynamic lock factors
- Windows Components\Windows Hello for Business\Turn off smart card emulation
- Windows Components\Windows Hello for Business\Allow enumeration of emulated smart card for all users
- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections
- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update
## New Group Policy settings in Windows 10, version 1703
The following Group Policy settings were added in Windows 10, version 1703:
**Control Panel**
- Control Panel\Add or Remove Programs\Specify default category for Add New Programs
- Control Panel\Add or Remove Programs\Hide the "Add a program from CD-ROM or floppy disk" option
- Control Panel\Personalization\Prevent changing lock screen and logon image
**Network**
- Network\Background Intelligent Transfer Service (BITS)\Limit the maximum network bandwidth for BITS background transfers
- Network\Background Intelligent Transfer Service (BITS)\Allow BITS Peercaching
- Network\Background Intelligent Transfer Service (BITS)\Limit the age of files in the BITS Peercache
- Network\Background Intelligent Transfer Service (BITS)\Limit the BITS Peercache size
- Network\DNS Client\Allow NetBT queries for fully qualified domain names
- Network\Network Connections\Prohibit access to properties of components of a LAN connection
- Network\Network Connections\Ability to Enable/Disable a LAN connection
- Network\Offline Files\Turn on economical application of administratively assigned Offline Files
- Network\Offline Files\Configure slow-link mode
- Network\Offline Files\Enable Transparent Caching
- Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set the Seed Server
- Network\Microsoft Peer-to-Peer Networking Services\Disable password strength validation for Peer Grouping
**System**
- System\App-V\Streaming\Location Provider
- System\App-V\Streaming\Certificate Filter For Client SSL
- System\Credentials Delegation\Allow delegating default credentials with NTLM-only server authentication
- System\Ctrl+Alt+Del Options\Remove Change Password
- System\Ctrl+Alt+Del Options\Remove Lock Computer
- System\Ctrl+Alt+Del Options\Remove Task Manager
- System\Ctrl+Alt+Del Options\Remove Logoff
- System\Device Installation\Do not send a Windows error report when a generic driver is installed on a device
- System\Device Installation\Prevent Windows from sending an error report when a device driver requests additional software during installation
- System\Locale Services\Disallow user override of locale settings
- System\Logon\Do not process the legacy run list
- System\Logon\Always use custom logon background
- System\Logon\Do not display network selection UI
- System\Logon\Block user from showing account details on sign-in
- System\Logon\Turn off app notifications on the lock screen
- System\User Profiles\Establish timeout value for dialog boxes
- System\Enable Windows NTP Server\Windows Time Service\Enable Windows NTP Client
**Windows Components**
- Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls
- Windows Components\ActiveX Installer Service\Establish ActiveX installation policy for sites in Trusted zones
- Windows Components\Application Compatibility\Turn off Application Compatibility Engine
- Windows Components\Application Compatibility\Turn off Program Compatibility Assistant
- Windows Components\Application Compatibility\Turn off Steps Recorder
- Windows Components\Attachment Manager\Notify antivirus programs when opening attachments
- Windows Components\Biometrics\Allow the use of biometrics
- Windows Components\NetMeeting\Disable Whiteboard
- Windows Components\Data Collection and Preview Builds\Configure the Commercial ID
- Windows Components\File Explorer\Display the menu bar in File Explorer
- Windows Components\File History\Turn off File History
- Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Play animations in web pages
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Turn on Cross-Site Scripting Filter
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Cross-Site Scripting Filter
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Run ActiveX controls and plugins
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Script ActiveX controls marked safe for scripting
- Windows Components\Internet Explorer\Accelerators\Restrict Accelerators to those deployed through Group Policy
- Windows Components\Internet Explorer\Compatibility View\Turn on Internet Explorer 7 Standards Mode
- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider
- Windows Components\Microsoft Account\Block all consumer Microsoft account user authentication
- Windows Components\Microsoft Edge\Configure Autofill
- Windows Components\Microsoft Edge\Allow Developer Tools
- Windows Components\Microsoft Edge\Configure Do Not Track
- Windows Components\Microsoft Edge\Allow InPrivate browsing
- Windows Components\Microsoft Edge\Configure Password Manager
- Windows Components\Microsoft Edge\Configure Pop-up Blocker
- Windows Components\Microsoft Edge\Allow search engine customization
- Windows Components\Microsoft Edge\Configure search suggestions in Address bar
- Windows Components\Microsoft Edge\Set default search engine
- Windows Components\Microsoft Edge\Configure additional search engines
- Windows Components\Microsoft Edge\Configure the Enterprise Mode Site List
- Windows Components\Microsoft Edge\Prevent using Localhost IP address for WebRTC
- Windows Components\Microsoft Edge\Configure Start pages
- Windows Components\Microsoft Edge\Disable lockdown of Start pages
- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\.Net Framework Configuration
- Windows Components\Windows Installer\Prohibit use of Restart Manager
- Windows Components\Desktop Gadgets\Restrict unpacking and installation of gadgets that are not digitally signed.
- Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets
- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage on Windows 8.1
- Windows Components\OneDrive\Prevent OneDrive files from syncing over metered connections
- Windows Components\OneDrive\Save documents to OneDrive by default
- Windows Components\Smart Card\Allow certificates with no extended key usage certificate attribute
- Windows Components\Smart Card\Turn on certificate propagation from smart card
- Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks
- Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])
- Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring
- Windows Components\Microsoft Defender Antivirus\Signature Updates\Define file shares for downloading definition updates
- Windows Components\Microsoft Defender Antivirus\Signature Updates\Turn on scan after signature update
- Windows Components\File Explorer\Display confirmation dialog when deleting files
- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Allow OpenSearch queries in File Explorer
- Windows Components\Windows Update\Remove access to use all Windows Update features
- Windows Components\Windows Update\Configure Automatic Updates
- Windows Components\Windows Update\Specify intranet Microsoft update service location
- Windows Components\Windows Update\Automatic Updates detection frequency
- Windows Components\Windows Update\Allow non-administrators to receive update notifications
- Windows Components\Windows Update\Allow Automatic Updates immediate installation
- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates
- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface
For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627).
## New MDM policies
Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as:
- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only)
- Enhanced Bluetooth policies
- Passport and Hello
- Device update
- Hardware-based device health attestation
- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout
- Security
- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management
- Certificate management
- Windows Tips
- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md).
If you use Microsoft Intune for MDM, you can [configure custom policies](/mem/intune/configuration/custom-settings-configure) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10).
No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference.
## Related topics
[Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946)
[Manage corporate devices](manage-corporate-devices.md)
[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10)

153
windows/client-management/client-tools/quick-assist.md Normal file
View File

@ -0,0 +1,153 @@
---
title: Use Quick Assist to help users
description: Learn how IT Pros can use Quick Assist to help users.
ms.prod: windows-client
ms.topic: article
ms.technology: itpro-manage
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.reviewer: pmadrigal
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier1
ms.date: 03/06/2023
---
# Use Quick Assist to help users
Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
## Before you begin
All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
> [!IMPORTANT]
> Quick Assist is not available in the Azure Government cloud.
### Authentication
The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
### Network considerations
Quick Assist communicates over port 443 (https) and connects to the Remote Assistance Service at `https://remoteassistance.support.services.microsoft.com` by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2. Both the helper and sharer must be able to reach these endpoints over port 443:
| Domain/Name | Description |
|--|--|
| `*.aria.microsoft.com` | Accessible Rich Internet Applications (ARIA) service for providing accessible experiences to users. |
| `*.cc.skype.com` | Required for Azure Communication Service. |
| `*.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
| `*.flightproxy.skype.com` | Required for Azure Communication Service. |
| `*.live.com` | Required for logging in to the application (MSA). |
| `*.monitor.azure.com` | Required for telemetry and remote service initialization. |
| `*.registrar.skype.com` | Required for Azure Communication Service. |
| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
| `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
| `aadcdn.msauth.net` | Required for logging in to the application (Azure AD). |
| `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
| `login.microsoftonline.com` | Required for Microsoft login service. |
| `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. |
| `turn.azure.com` | Required for Azure Communication Service. |
> [!IMPORTANT]
> Quick Assist uses Edge WebView2 browser control. For a list of domain URLs that you need to add to the allow list to ensure that the Edge WebView2 browser control can be installed and updated, see [Allow list for Microsoft Edge endpoints](/deployedge/microsoft-edge-security-endpoints).
## Working with Quick Assist
Either the support staff or a user can start a Quick Assist session.
1. Support staff ("helper") and the user ("sharer") can start Quick Assist in any of a few ways:
- Type *Quick Assist* in the Windows search and press ENTER.
- Press **CTRL** + **Windows** + **Q**.
- For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
- For **Windows 11** users, from the Start menu, select **All Apps**, and then select **Quick Assist**.
1. In the **Help someone** section, the helper selects the **Help someone** button. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.
1. Helper shares the security code with the user over the phone or with a messaging system.
1. The sharer enters the provided code in the **Security code from assistant** box under the **Get help** section, and then selects **Submit**.
1. The sharer receives a dialog asking for permission to allow screen sharing. The sharer gives permission by selecting the **Allow** button and the screen sharing session is established.
1. After the screen sharing session is established, the helper can optionally request control of the sharer's screen by selecting **Request control**. The sharer then receives a dialog asking them if they want to **Allow** or **Deny** the request for control.
> [!NOTE]
> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
## How it works
1. Both the helper and the sharer start Quick Assist.
1. The helper selects **Help someone**. Quick Assist on the helper's side contacts the Remote Assistance Service to obtain a session code. An RCC chat session is established, and the helper's Quick Assist instance joins it. The helper then provides the code to the sharer.
1. After the sharer enters the code in their Quick Assist app, Quick Assist uses that code to contact the Remote Assistance Service and join that specific session. The sharer's Quick Assist instance joins the RCC chat session.
1. The sharer is prompted to confirm allowing the helper to share their desktop with the helper.
1. Quick Assist starts RDP control and connects to the RDP Relay service.
1. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established.":::
### Data and privacy
Microsoft logs a small amount of session data to monitor the health of the Quick Assist system. This data includes the following information:
- Start and end time of the session
- Errors arising from Quick Assist itself, such as unexpected disconnections
- Features used inside the app such as view only, annotation, and session pause
> [!NOTE]
> No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
>
> The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
## Install Quick Assist
### Install Quick Assist from the Microsoft Store
1. Download the new version of Quick Assist by visiting the [Microsoft Store](https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5).
1. In the Microsoft Store, select **Get in Store app**. Then, give permission to install Quick Assist. When the installation is complete, **Get** changes to **Open**.</br> :::image type="content" source="images/quick-assist-get.png" lightbox="images/quick-assist-get.png" alt-text="Microsoft Store window showing the Quick Assist app with a button labeled get in the bottom right corner.":::
For more information, visit [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca).
### Install Quick Assist with Intune
Before installing Quick Assist, you need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
1. Select **Manage** / **Settings** and enable **Show offline apps**.
1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
1. Search for **Quick Assist** and select it from the Search results.
1. Choose the **Offline** license and select **Get the app**
1. In the Intune admin center, choose **Sync**.
1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
1. Select it to view its properties.
1. By default, the app isn't assigned to any user or device, select the **Edit** link. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
> [!NOTE]
> Assigning the app to a device or group of devices instead of a user is important becauseit's the only way to install a store app in device context.
Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) for more information.
### Install Quick Assist Offline
To install Quick Assist offline, you need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
1. Start **Windows PowerShell** with Administrative privileges.
1. In PowerShell, change the directory to the location you've saved the file to in step 1: `cd <location of package file>`
1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
## Microsoft Edge WebView2
The Microsoft EdgeWebView2is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps.The new Quick Assist application has been developed using this control, making it a necessary component for the app to function.
- For Windows 11 users, this runtime control is built in.
- For Windows 10 users, the Quick Assist Store app detects if WebView2 is present on launch and if necessary, installs it automatically. If an error message or prompt is shown indicating WebView2 isn't present, it needs to be installed separately.
For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
## Next steps
If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).

23
windows/client-management/client-tools/toc.yml Normal file
View File

@ -0,0 +1,23 @@
items:
- name: Windows Tools/Administrative Tools
href: administrative-tools-in-windows-10.md
- name: Use Quick Assist to help users
href: quick-assist.md
- name: Connect to remote Azure Active Directory-joined PC
href: connect-to-remote-aadj-pc.md
- name: Create mandatory user profiles
href: mandatory-user-profile.md
- name: New policies for Windows 10
href: new-policies-for-windows-10.md
- name: Windows 10 default media removal policy
href: change-default-removal-policy-external-storage-media.md
- name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education
href: group-policies-for-enterprise-and-education-editions.md
- name: Manage Device Installation with Group Policy
href: manage-device-installation-with-group-policy.md
- name: Manage the Settings app with Group Policy
href: manage-settings-app-with-group-policy.md
- name: What version of Windows am I running
href: windows-version-search.md
- name: Windows libraries
href: windows-libraries.md

137
windows/client-management/client-tools/windows-libraries.md Normal file
View File

@ -0,0 +1,137 @@
---
ms.reviewer:
manager: aaroncz
title: Windows Libraries
ms.prod: windows-client
ms.author: vinpa
ms.manager: dongill
ms.technology: itpro-manage
ms.topic: article
author: vinaypamnani-msft
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
ms.date: 09/15/2021
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
---
# Windows libraries
Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
## Features for Users
Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
- Aggregate content from multiple storage locations into a single, unified presentation.
- Enable users to stack and group library contents based on metadata.
- Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu.
- Support customized filter search suggestions, based on the types of files contained in the library.
- Enable users to create new libraries and specify which folders they want to include.
## Features for Administrators
Administrators can configure and control Windows libraries in the following methods:
- Create custom libraries by creating and deploying Library Description (*.library-ms) files.
- Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.)
- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
- Specify locations to include in a library.
- Remove a default location from a library.
- Remove advanced libraries features, when the environment doesn't support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) Group Policy. This method makes all libraries basic (see [Indexing Requirements and Basic Libraries](/previous-versions/windows/it-pro/windows-7/dd744693(v=ws.10)#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources.
## More about Libraries
The following information is important in the context of libraries you may need to understand to successfully manage your enterprise.
### Library Contents
Including a folder in a library doesn't physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files.
### Default Libraries and Known Folders
The default libraries include:
- Documents
- Music
- Pictures
- Videos
Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location.
### Hiding Default Libraries
Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions.
### Default Save Locations for Libraries
Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location.
If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails.
### Indexing Requirements and "Basic" Libraries
Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality:
- No support for metadata browsing via **Arrange By** views.
- Grep-only searches.
- Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**.
- No support for searching from the Start menu. Start menu searches don't return files from basic libraries.
- No previews of file snippets for search results returned in Content mode.
To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally.
For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations).
If your environment doesn't support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) data Group Policy. This enablement makes all libraries basic. For more information, see [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)).
### Folder Redirection
While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
### Supported storage locations
The following table shows which locations are supported in Windows libraries.
|Supported Locations|Unsupported Locations|
|---|---|
|Fixed local volumes (NTFS/FAT)|Removable drives|
|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)<br><br>Network shares that are accessible through DFS Namespaces or are part of a failover cluster|
|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed <br><br>Network Attached Storage (NAS) devices|
||Other data sources: SharePoint, Exchange, etc.|
\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics:
- Expected maximum load is four concurrent query requests.
- Expected indexing corpus is a maximum of one million documents.
- Users directly access the server. That is, the server isn't made available through DFS Namespaces.
- Users aren't redirected to another server if there's a failure. That is, server clusters aren't used.
### Library Attributes
The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms):
- Name
- Library locations
- Order of library locations
- Default save location
The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files.
## See also
### Concepts
- [Windows Search Features](/previous-versions/windows/it-pro/windows-7/dd744686(v=ws.10))
- [Windows Indexing Features](/previous-versions/windows/it-pro/windows-7/dd744700(v=ws.10))
- [Federated Search Features](/previous-versions/windows/it-pro/windows-7/dd744682(v=ws.10))
- [Administrative How-to Guides](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10))
- [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10))
- [More Resources for Windows Search, Browse, and Organization](/previous-versions/windows/it-pro/windows-7/dd744695(v=ws.10))
### Other resources
- [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11))
- [Library Description Schema](/windows/win32/shell/library-schema-entry)

55
windows/client-management/client-tools/windows-version-search.md Normal file
View File

@ -0,0 +1,55 @@
---
title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
ms.topic: troubleshooting
ms.technology: itpro-manage
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# What version of Windows am I running?
To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
## System Properties
Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
You'll now see **Edition**, **Version**, and **OS Build** information. Something like this:
![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png)
## Using Keyword Search
You can type the following in the search bar and press **ENTER** to see version details for your device.
**"winver"**
![screenshot of the About Windows display text.](images/winver.png)
**"msinfo"** or **"msinfo32"** to open **System Information**:
![screenshot of the System Information display text.](images/msinfo32.png)
## Using Command Prompt or PowerShell
At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER**
![screenshot of system information display text.](images/refcmd.png)
At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
![screenshot of software licensing manager.](images/slmgr_dlv.png)
## What does it all mean?
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices.
In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.