From c8e9797ed158d525387eb685c37214a797db12e5 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 7 Jun 2017 14:03:27 -0700 Subject: [PATCH 01/15] TFS 12104319, added TPMPolicy CSP and DDF topics for RS2 --- windows/client-management/mdm/TOC.md | 2 + ...onfiguration-service-provider-reference.md | 14 ++-- .../mdm/images/provisioning-csp-tpmpolicy.png | Bin 0 -> 3285 bytes ...ew-in-windows-mdm-enrollment-management.md | 12 ++- .../client-management/mdm/tpmpolicy-csp.md | 46 ++++++++++++ .../mdm/tpmpolicy-ddf-file.md | 71 ++++++++++++++++++ 6 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png create mode 100644 windows/client-management/mdm/tpmpolicy-csp.md create mode 100644 windows/client-management/mdm/tpmpolicy-ddf-file.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index ead7fdaf03..45051db6b8 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -198,6 +198,8 @@ #### [SUPL DDF file](supl-ddf-file.md) ### [SurfaceHub CSP](surfacehub-csp.md) #### [SurfaceHub DDF file](surfacehub-ddf-file.md) +### [TPMPolicy CSP](tpmpolicy-csp.md) +#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md) ### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) #### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md) ### [Update CSP](update-csp.md) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 7c7746d87a..e6f6ca4648 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -11,6 +11,9 @@ author: nickbrower # Configuration service provider reference +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). @@ -1164,10 +1167,10 @@ The following tables show the configuration service providers support in Windows cross mark - check mark - check mark - check mark - check mark + check mark3 + check mark3 + check mark3 + check mark3 cross mark cross mark @@ -2358,7 +2361,8 @@ The following tables show the configuration service providers support in Windows  Footnotes: - 1 - Added in Windows 10, version 1607 -- 2 - Added in Windows 10, version 1703 +- 2 - Added in Windows 10, version 1703 +- 3 - Added in the next major update to Windows 10 > [!Note] > You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). diff --git a/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png new file mode 100644 index 0000000000000000000000000000000000000000..8950a1614d9e9dbf1fb6d20ea004f9624f4d9b7a GIT binary patch literal 3285 zcmbVPX*e5Nw+@P9o?3#SrXFf)R5eZO5JOFE%|q2OoK$IzF&Cl6R;8h82->J2#8AZ4 z5(H5(MNzXN$5g6R6fwJczI&g0f8Ou=vG-nUKWpvb+527ZT8ZX&40$-kH~|0vkFk-y zB>=!AeJTh3#(dfvmgBY8wLOnlDQ6DSxea)Vb-BeYj4(kg}Nmu2eaF($ml?|bynXLe3&j0(!mub2wmYX_B>~k zUK)-tFZIlEsvNYCM4Kz{#>;i^iL>XMpHE?fh!F?)W1gic)PaWfsD11Gee0+(r>O}y zk`yw?A=#Zm{>Gq}BkAjmU?xE988p)+d+7C1pZBv*m}_ckWKEg2;zkHmDwSfE>A7t( zQg+Ll^0K{X$)>sCTgWG@kFRg<9AKJ%-o9)kY-4%G+Iud^GZ#eKJ$@N5YsiUBCTaOK zZmpoMHXPpP=yiCHK@%3s9CMGUBe~*+qA)aema(`k@Z%0EmxG-L`dxF_wYy5lK)TjE zO~xoiD3iCpZ#wQlH;2U3nJSHzR{XH?=qJWTWtbP2}9n&;)&rV-YfDYJRC(ZaU$4C?5<;8aL}<3{L@{oPcgrXFRsJH z;5eRU137(a6Sn`kA!t+!e?*2c}$;+$IH3If{4wR4ki})P~^<4D#mV=Q%Qf?XSwF@ z_~IzdbHC}m;F9d_o=UIgH5;)tNlJhd^ynXZgu+Y0^dF1^E#3*eD36`#Dn5(olun&5 zY3})Im#n6ueK!4!R|>o?OrAKakji1Q?df}BU38o%^S)gThRcpu=}CM&sd~W0az!OJ z&qHJ{ZIGJ$hu*^&s9Dq$f3h0ZOUL_TZzi17=)bUj^w`3E;U6y0PQ4e;8*8tNnCT-MxS>0} zz1rB5uin2FyJnlqxPz8b=XKT;v>JusszD~(_IV1&@BFL4 zcr&NNdmtIN0q_nOi^Pchb1|<5_oNoYuDU?Ym&Xf&9nbIGebyJG-1TIP(8YaDDD>p! zc-uEj_3~mbLHl@qjQYUJTCfU+epgX}%{`7q?CvO7d&8uwOF8XIFEz>3{b+N8J90RH z=9#x8;EtM)wxOOelW0J_**4Q41 zqAyW%9Gctz7{q=E9DsBfxsty(2ClB|H@&Z`ljmZUlkEhI*dTSa$31hEe3AbnXv!|G_s=`p1{v*`Sr1aSXQFpsx+VxA1Hu{q7z2L za6#CHSSXII;1o&75;Hn_s}(Hb$6ff}E)pQ}tRS-)=S;_Gd2E%W-LTfM+LS5hW)gx50s`% z+-G#n6f6H~@@R<(Ka`IK^=>vl61vG~^UCvfW}B#(8SR=4h7_URzG3e~m3!yB>9$-; zFdmlne^vbD45RcmbBJ;;!_iE*u7xbzFdQe=6-?SUK)iB@m<3YuW$_`G3NT8A9+^{! zs|uf+p8rV6pSan_*_11;MDPG~=b#ng`{UZST5V$^V?erQ@o8jHNP%T-#k7kcp1Iafs4HyaFuRj=&wNm=H%oo?g!40 zdJNfK7JOwOA0s=6R?#khxKynar*legM zTBMaV_R#&PHS0k8U_URy(WuG~S6Bl#U>lob`}ffG9{}?I?Sc&aJ~;nTOaVCK_-@*V z3>G<^koX{dX~?@ni~sLa*e4WnfL6IddP8T>L2PL0hs+cx3nfJ(8vZ64KEXSU4s5$D zcKIx1Gz$gMoE%3^0l{L_UpWIuV^*H}TBKT}w&#w&!^MJ^K3a0>)o^=AMwI^oaJ6Q@ zB|Atp5LqiJ@%eKm?0#c|_>qf*>DK5HH)!>i4=4v1ekWMIv|$SekE^_KbhpEvW>4tK zhtIt>@2E5=HJy3!ZD$_&n*1d7DmzzNaZp z$}9MMoT0_1?frxuUQ@c97wm0_i$cNahBng#N-Lq?>$s8%S~cyT{VE#%Ybg&O)P8=p*F9sX&VbU7@I$@^%p ztJ5MLt~akX6J=(01!Yk3^b6j0f9o-dGloRzwbY#1Rm?9`zTzIDtW2p=?G{CDn5Taj zs@>sJ$={m89A;ju^a$z0++?TN_Z9RoQ~Yn9kbb@ubY;yOQ#Gwh#h5-vk-2H*G~X{z389fDpvu`&x#I_B;%#Uzeha4r z@lM+JzklBR2-&M`YP76$RX*aObTsDmsbEq+68!9Om#=g}3aBqgDcWy0lNZ-4C><6& zprkBgk!ZLcPWyDny|3C$sI+_z@~0C0?Pn%)9F25AZihaB4pR^K=Dsk|+~YoCvdHkB zQ`(N-g~nGsU(zhmC{U9ljb#nkl-L0&;%T2vXs5@Dyh9BkXh*V!HoSN#yd*Ov!9own$|RXCKgHpCrHVKHf|mbXXOToU-T<~a(bM_wu11@{P4Gz vX#39r+$<2bR+nfvfLr)~gw*Nj6P8c*g36NRjCZG{2*B9jj(&x%OU!=(i3@2f literal 0 HcmV?d00001 diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 9992411f6a..96d9601963 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -14,6 +14,8 @@ author: nickbrower # What's new in MDM enrollment and management +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. @@ -892,6 +894,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • [Policy CSP](policy-configuration-service-provider.md)
    • + +[TPMPolicy CSP](tpmpolicy-csp.md) +New CSP added in Windows 10, version 1703. +   @@ -1180,7 +1186,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) Added a list of registry locations that ingested policies are allowed to write to. - + [Firewall CSP](firewall-csp.md) Added the following nodes:
      @@ -1191,6 +1197,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Status
    Also Added [Firewall DDF file](firewall-ddf-file.md). + +[TPMPolicy CSP](tpmpolicy-csp.md) +New CSP added in Windows 10, version 1703. + diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md new file mode 100644 index 0000000000..222b6a7627 --- /dev/null +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -0,0 +1,46 @@ +--- +title: TPMPolicy CSP +description: TPMPolicy CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# TPMPolicy CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The TPMPolicy configuration service provider (CSP) . The TPMPolicy CSP was added in Windows 10, version 1703. + +The following diagram shows the TPMPolicy configuration service provider in tree format. + +![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png) + +**./Device/Vendor/MSFT/TPMPolicy** +

    Defines the root node.

    + +**IsActiveZeroExhaust** +

    Boolean value

    + +Here is an example: + +``` syntax +                +                    101 +                    +                        +                            +                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust +                            +                        +                         + bool +               text/plain +        +        true +                     +                 +``` \ No newline at end of file diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md new file mode 100644 index 0000000000..35a90ff87b --- /dev/null +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -0,0 +1,71 @@ +--- +title: TPMPolicy DDF file +description: TPMPolicy DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# TPMPolicy DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703. + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + TPMPolicy + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/TPMPolicy + + + + IsActiveZeroExhaust + + + + + + False + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file From e095c4bda363c1a8fc5622366d00cd220f7904b8 Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 10:39:45 -0700 Subject: [PATCH 02/15] added documentation for Start/AllowPinnedFoder* policies addes in RS2. --- .../policy-configuration-service-provider.md | 370 ++++++++++++++++++ 1 file changed, 370 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 5b81c0026b..bca99263de 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -15951,6 +15951,376 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. + + + +**Start/AllowPinnedFolderDocuments** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the Documents shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderDownloads** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the Downloads shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderFileExplorer** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the File Explorer shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderHomeGroup** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the HomeGroup shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderMusic** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the Music shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderNetwork** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the Network shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderPersonalFolder** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the PersonalFolder shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderPictures** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the Pictures shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderSettings** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the Settings shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + + + + +**Start/AllowPinnedFolderVideos** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + + +

    This policy controls the visibility of the Videos shortcut on the Start menu. + +

    The following list shows the supported values: + +- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. +- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 65535 (default) - There is no enforced configuration and the setting can be changed by the user. + From fac18ca1200bbb8c5974b62df837cf468da549a5 Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 10:44:11 -0700 Subject: [PATCH 03/15] added windows version info to each of the Start/AllowPinnedFolder* policy descriptions --- .../policy-configuration-service-provider.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bca99263de..7e5e30110a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -15980,7 +15980,7 @@ ADMX Info: -

    This policy controls the visibility of the Documents shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.

    The following list shows the supported values: @@ -16017,7 +16017,7 @@ ADMX Info: -

    This policy controls the visibility of the Downloads shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.

    The following list shows the supported values: @@ -16054,7 +16054,7 @@ ADMX Info: -

    This policy controls the visibility of the File Explorer shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.

    The following list shows the supported values: @@ -16091,7 +16091,7 @@ ADMX Info: -

    This policy controls the visibility of the HomeGroup shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.

    The following list shows the supported values: @@ -16128,7 +16128,7 @@ ADMX Info: -

    This policy controls the visibility of the Music shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.

    The following list shows the supported values: @@ -16165,7 +16165,7 @@ ADMX Info: -

    This policy controls the visibility of the Network shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.

    The following list shows the supported values: @@ -16202,7 +16202,7 @@ ADMX Info: -

    This policy controls the visibility of the PersonalFolder shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.

    The following list shows the supported values: @@ -16239,7 +16239,7 @@ ADMX Info: -

    This policy controls the visibility of the Pictures shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.

    The following list shows the supported values: @@ -16276,7 +16276,7 @@ ADMX Info: -

    This policy controls the visibility of the Settings shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.

    The following list shows the supported values: @@ -16313,7 +16313,7 @@ ADMX Info: -

    This policy controls the visibility of the Videos shortcut on the Start menu. +

    Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.

    The following list shows the supported values: From e9002a782461bfa047ced3b2228137ddf380cbbe Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 8 Jun 2017 10:50:38 -0700 Subject: [PATCH 04/15] TPMPolicy CSP, incorporated feedback from Shantanu --- ...onfiguration-service-provider-reference.md | 28 +++++++++++++++++++ .../client-management/mdm/tpmpolicy-csp.md | 13 +++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e6f6ca4648..a6d30377d2 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2047,6 +2047,34 @@ The following tables show the configuration service providers support in Windows + +[TPMPolicy CSP](tpmpolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcheck markcheck mark
    + + + + [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 222b6a7627..239e679672 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -13,7 +13,9 @@ author: nickbrower > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The TPMPolicy configuration service provider (CSP) . The TPMPolicy CSP was added in Windows 10, version 1703. +The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. + +The TPMPolicy CSP was added in Windows 10, version 1703. The following diagram shows the TPMPolicy configuration service provider in tree format. @@ -23,7 +25,14 @@ The following diagram shows the TPMPolicy configuration service provider in tree

    Defines the root node.

    **IsActiveZeroExhaust** -

    Boolean value

    +

    Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:

    + +
      +
    • There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
      • +
    • There should be no traffic during installation of Windows and first logon when local ID is used.
      • +
    • Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.
      • +
    • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.
      • +
    Here is an example: From 0d7cd460c73c0179432529862f5521588e753734 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 8 Jun 2017 11:01:11 -0700 Subject: [PATCH 05/15] Firewall CSP, incorporated feedback from Mihai --- windows/client-management/mdm/firewall-csp.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 34913158a8..e621f09ad8 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -13,10 +13,12 @@ author: nickbrower > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. Firewall configuration commands must be wrapped in an Atomic block in SyncML. +For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx). + The following diagram shows the Firewall configuration service provider in tree format. ![firewall csp](images/provisioning-csp-firewall.png) From 9dffe4cd546ddb520e84f80cc124ab08b791c44d Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 11:12:31 -0700 Subject: [PATCH 06/15] updated SKU info for various Start/ policies --- .../policy-configuration-service-provider.md | 428 ++++++++++++++++-- 1 file changed, 398 insertions(+), 30 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7e5e30110a..3cc1f3814a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -15969,10 +15969,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16006,10 +16006,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16043,10 +16043,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16080,10 +16080,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16117,10 +16117,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16154,10 +16154,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16191,10 +16191,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16228,10 +16228,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16265,10 +16265,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16302,10 +16302,10 @@ ADMX Info: cross mark - cross mark + check mark2 - check mark - check mark + check mark2 + check mark2 cross mark cross mark @@ -16369,6 +16369,29 @@ ADMX Info: **Start/HideAppList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16394,6 +16417,29 @@ ADMX Info: **Start/HideChangeAccountSettings** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. @@ -16412,6 +16458,29 @@ ADMX Info: **Start/HideFrequentlyUsedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16437,6 +16506,29 @@ ADMX Info: **Start/HideHibernate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. @@ -16458,6 +16550,29 @@ ADMX Info: **Start/HideLock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. @@ -16476,6 +16591,29 @@ ADMX Info: **Start/HidePowerButton** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16497,6 +16635,29 @@ ADMX Info: **Start/HideRecentJumplists** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16525,6 +16686,29 @@ ADMX Info: **Start/HideRecentlyAddedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16550,6 +16734,29 @@ ADMX Info: **Start/HideRestart** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. @@ -16568,6 +16775,29 @@ ADMX Info: **Start/HideShutDown** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. @@ -16586,6 +16816,29 @@ ADMX Info: **Start/HideSignOut** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. @@ -16604,6 +16857,29 @@ ADMX Info: **Start/HideSleep** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. @@ -16622,6 +16898,29 @@ ADMX Info: **Start/HideSwitchAccount** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. @@ -16640,6 +16939,29 @@ ADMX Info: **Start/HideUserTile** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16662,6 +16984,29 @@ ADMX Info: **Start/ImportEdgeAssets** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -16685,6 +17030,29 @@ ADMX Info: **Start/NoPinningToTaskbar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. From 6c326e3a1bcc2b80f9234dffe2a777ffb226ccac Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 11:28:37 -0700 Subject: [PATCH 07/15] restored hololens and surface hub support references; added anchor link stubs for IoT Core and EAS support --- .../policy-configuration-service-provider.md | 126 +++++++++++++++++- 1 file changed, 124 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 3cc1f3814a..fd9db32524 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -20148,7 +20148,7 @@ Footnote: -## IoT Core Support +## Policies Supported by IoT Core [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) @@ -20197,7 +20197,7 @@ Footnote: -## Can be set using Exchange Active Sync (EAS) +## Policies that can be set using Exchange Active Sync (EAS) [Browser/AllowBrowser](#browser-allowbrowser) [Camera/AllowCamera](#camera-allowcamera) @@ -20221,7 +20221,129 @@ Footnote: [Wifi/AllowWiFi](#wifi-allowwifi) + +## Policies supported by Windows Holographic for Business +- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [Experience/AllowCortana](#experience-allowcortana) +- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) +- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [Settings/AllowDateTime](#settings-allowdatetime) +- [Settings/AllowVPN](#settings-allowvpn) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/UpdateServiceUrl](#update-updateserviceurl) + + + +## Policies supported by Microsoft Surface Hub + +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +- [Browser/HomePages](#browser-homepages) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) +- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) +- [Camera/AllowCamera](#camera-allowcamera) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) +- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) +- [Defender/AllowIOAVProtection](#defender-allowioavprotection) +- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](#defender-allowscriptscanning) +- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) +- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](#defender-excludedextensions) +- [Defender/ExcludedPaths](#defender-excludedpaths) +- [Defender/ExcludedProcesses](#defender-excludedprocesses) +- [Defender/PUAProtection](#defender-puaprotection) +- [Defender/RealTimeScanDirection](#defender-realtimescandirection) +- [Defender/ScanParameter](#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](#defender-schedulescanday) +- [Defender/ScheduleScanTime](#defender-schedulescantime) +- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) +- [TextInput/AllowIMELogging](#textinput-allowimelogging) +- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) +- [TextInput/AllowInputPanel](#textinput-allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/BranchReadinessLevel](#update-branchreadinesslevel) +- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) +- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) +- [Update/PauseQualityUpdates](#update-pausequalityupdates) +- [Update/UpdateServiceUrl](#update-updateserviceurl) + ## Examples From e636884b56adedccfef1c54732d7ea511d2beee6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 8 Jun 2017 12:17:49 -0700 Subject: [PATCH 08/15] added redirect from security baselines topic to DLC --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8a8c061684..5ff5168b14 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "windows/device-security/windows-security-baselines.md", +"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319", +"redirect_document_id": true +}, +{ "source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md", "redirect_url": "/education/windows/switch-to-pro-education", "redirect_document_id": true From c520acf269e6072856afaa3cc968c56953b1191d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 8 Jun 2017 12:56:58 -0700 Subject: [PATCH 09/15] removed security baselines file --- .openpublishing.redirection.json | 2 +- .../windows-security-baselines.md | 74 ------------------- 2 files changed, 1 insertion(+), 75 deletions(-) delete mode 100644 windows/device-security/windows-security-baselines.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 5ff5168b14..8f10c8e96a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -3,7 +3,7 @@ { "source_path": "windows/device-security/windows-security-baselines.md", "redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md", diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md deleted file mode 100644 index f62ee298ba..0000000000 --- a/windows/device-security/windows-security-baselines.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Windows security baselines (Windows 10) -description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: brianlic-msft ---- - -# Windows security baselines - -**Applies to** - -- Windows 10 -- Windows Server 2016 -- Windows Server 2012 R2 - -Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines. - -We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs. - - > [!NOTE] - > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353). - -## What are security baselines? - -Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. - -A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and -customers. - -## Why are security baselines needed? - -Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers. - -For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. - -In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats. - -To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups. - -## How can you use security baselines? - - You can use security baselines to: - - - Ensure that user and device configuration settings are compliant with the baseline. - - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. - -## Where can I get the security baselines? - - Here's a list of security baselines that are currently available. - - > [!NOTE] - > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog. - -### Windows 10 security baselines - - - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663) - - [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381) - - [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380) - -### Windows Server security baselines - - - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663) - - [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382) - -## How can I monitor security baseline deployments? - -Microsoft’s Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm). - -You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization. - \ No newline at end of file From 070f2835284723ae1fe3e54118dcbfdb8bf09cd4 Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 13:30:32 -0700 Subject: [PATCH 10/15] put EAS at the end of support lists --- .../policy-configuration-service-provider.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fd9db32524..221b5b47f9 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -20196,31 +20196,6 @@ Footnote: [Wifi/WLANScanMode](#wifi-wlanscanmode) - -## Policies that can be set using Exchange Active Sync (EAS) - -[Browser/AllowBrowser](#browser-allowbrowser) -[Camera/AllowCamera](#camera-allowcamera) -[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -[Security/RequireDeviceEncryption](#security-requiredeviceencryption) -[System/AllowStorageCard](#system-allowstoragecard) -[System/TelemetryProxy](#system-telemetryproxy) -[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -[Wifi/AllowWiFi](#wifi-allowwifi) - - ## Policies supported by Windows Holographic for Business @@ -20345,6 +20320,31 @@ Footnote: - [Update/UpdateServiceUrl](#update-updateserviceurl) + +## Policies that can be set using Exchange Active Sync (EAS) + +[Browser/AllowBrowser](#browser-allowbrowser) +[Camera/AllowCamera](#camera-allowcamera) +[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +[Security/RequireDeviceEncryption](#security-requiredeviceencryption) +[System/AllowStorageCard](#system-allowstoragecard) +[System/TelemetryProxy](#system-telemetryproxy) +[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +[Wifi/AllowWiFi](#wifi-allowwifi) + + ## Examples Set the minimum password length to 4 characters. From 01b4bc5a4ba94da144e3090a2bc9864b9e0d4757 Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 14:45:45 -0700 Subject: [PATCH 11/15] updated iot core, surfacehub, and hololens support lists with respect to RS2 --- .../policy-configuration-service-provider.md | 180 +++++++++++------- 1 file changed, 114 insertions(+), 66 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 221b5b47f9..2b736b3054 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -20150,50 +20150,59 @@ Footnote: ## Policies Supported by IoT Core -[ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -[Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -[Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -[Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -[Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -[Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) -[Browser/AllowAutofill](#browser-allowautofill) -[Browser/AllowBrowser](#browser-allowbrowser) -[Browser/AllowCookies](#browser-allowcookies) -[Browser/AllowDoNotTrack](#browser-allowdonottrack) -[Browser/AllowInPrivate](#browser-allowinprivate) -[Browser/AllowPasswordManager](#browser-allowpasswordmanager) -[Browser/AllowPopups](#browser-allowpopups) -[Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -[Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -[Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -[Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) -[Camera/AllowCamera](#camera-allowcamera) -[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -[Connectivity/AllowNFC](#connectivity-allownfc) -[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -[Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -[Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -[DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) -[Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -[Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -[Security/RequireDeviceEncryption](#security-requiredeviceencryption) -[Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -[System/AllowEmbeddedMode](#system-allowembeddedmode) -[System/AllowStorageCard](#system-allowstoragecard) -[System/TelemetryProxy](#system-telemetryproxy) -[Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -[Update/AllowUpdateService](#update-allowupdateservice) -[Update/PauseDeferrals](#update-pausedeferrals) -[Update/RequireDeferUpgrade](#update-requiredeferupgrade) -[Update/RequireUpdateApproval](#update-requireupdateapproval) -[Update/ScheduledInstallDay](#update-scheduledinstallday) -[Update/ScheduledInstallTime](#update-scheduledinstalltime) -[Update/UpdateServiceUrl](#update-updateserviceurl) -[Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) -[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -[Wifi/AllowWiFi](#wifi-allowwifi) -[Wifi/WLANScanMode](#wifi-wlanscanmode) +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +- [Browser/AllowAutofill](#browser-allowautofill) +- [Browser/AllowBrowser](#browser-allowbrowser) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowInPrivate](#browser-allowinprivate) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) +- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) +- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) +- [Camera/AllowCamera](#camera-allowcamera) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowNFC](#connectivity-allownfc) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) +- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) +- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) +- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +- [System/AllowEmbeddedMode](#system-allowembeddedmode) +- [System/AllowFontProviders](#system-allowfontproviders) +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) +- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/PauseDeferrals](#update-pausedeferrals) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/ScheduledInstallDay](#update-scheduledinstallday) +- [Update/ScheduledInstallTime](#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) +- [Wifi/WLANScanMode](#wifi-wlanscanmode) @@ -20218,7 +20227,16 @@ Footnote: - [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) - [Experience/AllowCortana](#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) +- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) +- [System/AllowFontProviders](#system-allowfontproviders) - [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - [Settings/AllowDateTime](#settings-allowdatetime) @@ -20235,22 +20253,32 @@ Footnote: ## Policies supported by Microsoft Surface Hub +- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration) - [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) - [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) - [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) - [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) - [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) -- [Browser/HomePages](#browser-homepages) +- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) - [Browser/AllowCookies](#browser-allowcookies) - [Browser/AllowDeveloperTools](#browser-allowdevelopertools) - [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) - [Browser/AllowPopups](#browser-allowpopups) - [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) - [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) +- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) +- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) +- [Browser/HomePages](#browser-homepages) +- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) - [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) - [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) +- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) - [Camera/AllowCamera](#camera-allowcamera) +- [ConfigOperations/ADMXInstall](#configoperations-admxinstall) - [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) - [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) - [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) - [Defender/AllowArchiveScanning](#defender-allowarchivescanning) @@ -20295,8 +20323,18 @@ Footnote: - [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) - [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard) +- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) - [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) - [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) +- [System/AllowFontProviders](#system-allowfontproviders) - [System/AllowLocation](#system-allowlocation) - [System/AllowTelemetry](#system-allowtelemetry) - [TextInput/AllowIMELogging](#textinput-allowimelogging) @@ -20310,39 +20348,49 @@ Footnote: - [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) - [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) - [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) +- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock) +- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry) +- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage) - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) +- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) - [Update/BranchReadinessLevel](#update-branchreadinesslevel) - [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) - [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) +- [Update/DetectionFrequency](#update-detectionfrequency) - [Update/PauseFeatureUpdates](#update-pausefeatureupdates) - [Update/PauseQualityUpdates](#update-pausequalityupdates) +- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) +- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) +- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) - [Update/UpdateServiceUrl](#update-updateserviceurl) +- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) ## Policies that can be set using Exchange Active Sync (EAS) -[Browser/AllowBrowser](#browser-allowbrowser) -[Camera/AllowCamera](#camera-allowcamera) -[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -[Security/RequireDeviceEncryption](#security-requiredeviceencryption) -[System/AllowStorageCard](#system-allowstoragecard) -[System/TelemetryProxy](#system-telemetryproxy) -[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -[Wifi/AllowWiFi](#wifi-allowwifi) +- [Browser/AllowBrowser](#browser-allowbrowser) +- [Camera/AllowCamera](#camera-allowcamera) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) ## Examples From 64df49c615727b25263d7ab0d34ca4922bfef09f Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 15:15:10 -0700 Subject: [PATCH 12/15] added important message about user only policy: Notifications/DisallowNotificationMirroring --- .../mdm/policy-configuration-service-provider.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 2b736b3054..83d5f832cc 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -11587,6 +11587,13 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

    Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result. + +

    For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.

    No reboot or service restart is required for this policy to take effect. From 5871f5074ec7b99464fd6b9bc497f5c1927a30a0 Mon Sep 17 00:00:00 2001 From: Nick Brower Date: Thu, 8 Jun 2017 15:29:54 -0700 Subject: [PATCH 13/15] updated Start/AllowPinnedFolder* policies with response from tech review --- .../policy-configuration-service-provider.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 83d5f832cc..1fb89dc1e2 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -15991,8 +15991,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16028,8 +16028,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16065,8 +16065,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16102,8 +16102,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16139,8 +16139,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16176,8 +16176,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16213,8 +16213,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16250,8 +16250,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16287,8 +16287,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. @@ -16324,8 +16324,8 @@ ADMX Info:

    The following list shows the supported values: -- 0 – The shortcut should be hidden and grays out the corresponding toggle in the Settings app. -- 1 – The shortcut should be visible and grays out the corresponding toggle in the Settings app. +- 0 – The shortcut is hidden and disables the setting in the Settings app. +- 1 – The shortcut is visible and disables the setting in the Settings app. - 65535 (default) - There is no enforced configuration and the setting can be changed by the user. From 4fc05c60643abcce4a71e1a552e6d15c53a498b7 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Thu, 8 Jun 2017 15:50:06 -0700 Subject: [PATCH 14/15] emergency update to correct DL for ad free search email alias, per PM, and to include SUSPC in the MS Edu hub --- education/index.md | 38 +++++++++++++++++++ .../configure-windows-for-education.md | 2 +- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/education/index.md b/education/index.md index 0bb10155b3..95fdcd0939 100644 --- a/education/index.md +++ b/education/index.md @@ -207,6 +207,25 @@ author: CelesteDG +

  • + +
    +
    +
    +
    +
    + Set up School PCs +
    +
    +
    +

    Set up School PCs

    +

    Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.

    +
    +
    +
    +
    +     +
    • @@ -331,6 +350,25 @@ author: CelesteDG +
  • + +
    +
    +
    +
    +
    + Set up School PCs +
    +
    +
    +

    Set up School PCs

    +

    Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.

    +
    +
    +
    +
    +     +
    • diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 897f7df8c4..a6b8111e90 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -145,7 +145,7 @@ Provide an ad-free experience that is a safer, more private search option for K ### Configurations #### IP registration for entire school network using Microsoft Edge -Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email. +Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email. **District information** - **District or School Name:** From ee8cc461ff302e443eee2626acf66dd74d377d47 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Thu, 8 Jun 2017 17:18:59 -0700 Subject: [PATCH 15/15] changed coming soon to link to I4E topic that shows the settings --- education/windows/configure-windows-for-education.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index a6b8111e90..715ba27c8a 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -64,7 +64,7 @@ You can configure Windows through provisioning or management tools including ind You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready: - [Set up School PCs](use-set-up-school-pcs-app.md) -- Intune for Education (coming soon) +- [Intune for Education](https://docs.microsoft.com/en-us/intune-education/available-settings) ## AllowCortana **AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana).