deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

merger from master

Browse Source
This commit is contained in:
Joey Caparas
2018-08-07 06:59:18 -07:00
parent 07c7676b0b c9752a22a4
commit 4df73f9a1b
116 changed files with 1675 additions and 8450 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
windows/client-management/mdm/defender-csp.md
View File

@ -365,7 +365,7 @@ Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
<a href="" id="offlinescan"></a>**OfflineScan**
Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan.
Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. After the next OS reboot, the device will start in Windows Defender offline mode to begin the scan.
Supported operations are Get and Execute.
@ -374,12 +374,3 @@ Supported operations are Get and Execute.
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

22
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -364,9 +364,9 @@ Added in Windows 10, next major version. Specifies if an app is nonremovable by
This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesnt remove it for all users.
This setting requires admin permission. This can only be set per device, not per user. You can query the setting using AppInvetoryQuery or AppInventoryResults.
NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
Value type is integer. Supported operations are Add, Get, and Replace.
Valid values:
- 0 app is not in the nonremovable app policy list
@ -382,12 +382,12 @@ Add an app to the nonremovable app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
<Data>1</Data>
</Item>
</Add>
<Final/>
@ -403,7 +403,7 @@ Delete an app from the nonremovable app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
</Item>
</Delete>
@ -412,7 +412,7 @@ Delete an app from the nonremovable app policy list
</SyncML>
```
Get list of apps in the nonremovable app policy list
Get the status for a particular app
```
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -420,7 +420,7 @@ Get list of apps in the nonremovable app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
</Item>
</Get>
@ -429,9 +429,9 @@ Get list of apps in the nonremovable app policy list
</SyncML>
```
Replace an app in the nonremovable app policy list
Data 0 = app is not in the app policy list
Data 1 = app is in the app policy list
Replace an app in the nonremovable app policy list
Data 0 = app is not in the app policy list
Data 1 = app is in the app policy list
```
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -439,7 +439,7 @@ Data 1 = app is in the app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>

1
windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
View File

@ -495,7 +495,6 @@ The XML below is for Windows 10, next major version.
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>

BIN
windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 31 KiB

129
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What's new in Windows 10, version 1703](#whatsnew10)
- [What's new in Windows 10, version 1709](#whatsnew1709)
- [What's new in Windows 10, version 1803](#whatsnew1803)
- [What's new in Windows 10, next major version](#whatsnewnext)
- [Change history in MDM documentation](#change-history-in-mdm-documentation)
- [Breaking changes and known issues](#breaking-changes-and-known-issues)
- [Get command inside an atomic command is not supported](#getcommand)
@ -1357,6 +1358,101 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</tbody>
</table>
## <a href="" id="whatsnewnext"></a>What's new in Windows 10, next major version
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies in Windows 10, next major version:</p>
<ul>
<li>ApplicationManagement/LaunchAppAfterLogOn</li>
<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
<li>Authentication/EnableFastFirstSignIn</li>
<li>Authentication/EnableWebSignIn</li>
<li>Authentication/PreferredAadTenantDomainName</li>
<li>Defender/CheckForSignaturesBeforeRunningScan</li>
<li>Defender/DisableCatchupFullScan </li>
<li>Defender/DisableCatchupQuickScan </li>
<li>Defender/EnableLowCPUPriority</li>
<li>Defender/SignatureUpdateFallbackOrder</li>
<li>Defender/SignatureUpdateFileSharesSources</li>
<li>DeviceGuard/EnableSystemGuard</li>
<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
<li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>
<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</li>
<li>DmaGuard/DeviceEnumerationPolicy</li>
<li>Experience/AllowClipboardHistory</li>
<li>Experience/DoNotSyncBrowserSetting</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
<li>Security/RecoveryEnvironmentAuthentication</li>
<li>TaskManager/AllowEndTask</li>
<li>Update/EngagedRestartDeadlineForFeatureUpdates</li>
<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates</li>
<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates</li>
<li>Update/SetDisablePauseUXAccess</li>
<li>Update/SetDisableUXWUAccess</li>
<li>WindowsDefenderSecurityCenter/DisableClearTpmButton</li>
<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning</li>
<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl</li>
<li>WindowsLogon/DontDisplayNetworkSelectionUI</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[PassportForWork CSP](passportforwork-csp.md)</td>
<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
<td style="vertical-align:top"><p>Added NonRemovable setting under AppManagement node in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)</td>
<td style="vertical-align:top"><p>Added new configuration service provider in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[WindowsLicensing CSP](windowslicensing-csp.md)</td>
<td style="vertical-align:top"><p>Added S mode settings and SyncML examples in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[SUPL CSP](supl-csp.md)</td>
<td style="vertical-align:top"><p>Added 3 new certificate nodes in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node Health/ProductStatus in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[DevDetail CSP](devdetail-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node SMBIOSSerialNumber in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Wifi CSP](wifi-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node WifiCost in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
</td></tr>
</tbody>
</table>
## Breaking changes and known issues
### <a href="" id="getcommand"></a>Get command inside an atomic command is not supported
@ -1623,6 +1719,35 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### August 2018
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies in Windows 10, next major version:</p>
<ul>
<li>Experience/DoNotSyncBrowserSetting</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
</ul>
</td></tr>
</tbody>
</table>
### July 2018
<table class="mx-tdBreakAll">
@ -1729,7 +1854,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<tbody>
<tr>
<td style="vertical-align:top">[Wifi CSP](wifi-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node WifiCost.</p>
<td style="vertical-align:top"><p>Added a new node WifiCost in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)</td>
@ -1741,7 +1866,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</td></tr>
<tr>
<td style="vertical-align:top">[Bitlocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Added new node AllowStandardUserEncryption.</p>
<td style="vertical-align:top"><p>Added new node AllowStandardUserEncryption in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>

45
windows/client-management/mdm/policy-csp-experience.md
View File

@ -91,7 +91,7 @@ ms.date: 07/30/2018
<a href="#experience-donotshowfeedbacknotifications">Experience/DoNotShowFeedbackNotifications</a>
</dd>
<dd>
<a href="#experience-donotsyncbrowsersetting">Experience/DoNotSyncBrowserSetting</a>
<a href="#experience-donotsyncbrowsersetting">Experience/DoNotSyncBrowserSettings</a>
</dd>
<dd>
<a href="#experience-preventusersfromturningonbrowsersyncing">Experience/PreventUsersFromTurningOnBrowserSyncing</a>
@ -1399,7 +1399,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-donotsyncbrowsersetting"></a>**Experience/DoNotSyncBrowserSetting**
<a href="" id="experience-donotsyncbrowsersetting"></a>**Experience/DoNotSyncBrowserSettings**
<!--SupportedSKUs-->
<table>
@ -1434,14 +1434,10 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
By default, the "browser" group syncs automatically between users devices and allowing users to choose to make changes. The "browser" group uses the **Sync your Settings** option in Settings to sync information like history and favorites. Enabling this policy prevents the "browser" group from using the **Sync your Settings** option. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option.
[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)]
Related policy: PreventUsersFromTurningOnBrowserSyncing.
Value type is integer. Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 2 - Prevented/turned off. The "browser" group does not use the **Sync your Settings** option.
Related policy:
PreventUsersFromTurningOnBrowserSyncing
<!--/Description-->
<!--ADMXMapped-->
@ -1453,7 +1449,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
Value type is integer.
<!--/SupportedValues-->
<!--Example-->
@ -1501,25 +1502,21 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
By default, the "browser" group syncs automatically between the users devices, letting users make changes. With this policy, though, you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.
[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
Related policy: DoNotSyncBrowserSetting
Related policy:
DoNotSyncBrowserSettings
Value type is integer. Supported values:
- 0 - Allowed/turned on. Users can sync the browser settings.
- 1 (default) - Prevented/turned off.
This policy only works with the Experience/DoNotSyncBrowserSetting policy, and for this policy to work correctly, you must set Experience/DoNotSynBrowserSettings to 2 (enabled). By default, when you set this policy and the Experience/DoNotSyncBrowserSetting policy to 0 (disabled or not configured), the browser settings sync automatically. However, with this policy, you can prevent the syncing of browser settings and prevent users from turning on the Sync your Settings option. Additionally, you can prevent syncing the browser settings but give users a choice to turn on syncing.
If you want to prevent syncing of browser settings and prevent users from turning it on:
1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled).
1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured).
If you want to prevent syncing of browser settings but give users a choice to turn on syncing:
1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled).
1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1531,7 +1528,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Allowed/turned on. Users can sync the browser settings.
- 1 (default) - Prevented/turned off.
Value type is integer.
<!--/SupportedValues-->
<!--Example-->
@ -1540,15 +1542,12 @@ ADMX Info:
**Validation procedure:**
Microsoft Edge on your PC:
1. Select More > Settings.
1. Select **More > Settings**.
1. See if the setting is enabled or disabled based on your setting.
<!--/Validation-->
<!--/Policy-->
<<<<<<< HEAD
=======
>>>>>>> 3c06afe9875ad82fff960313bea663f49a2f7d2c
<hr/>
Footnote:

571
windows/client-management/mdm/policy-ddf-file.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/03/2018
ms.date: 08/03/2018
---
# Policy DDF file
@ -1406,30 +1406,6 @@ Related policy:
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ForceEnabledExtensions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This setting lets you decide which extensions should be always enabled.</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>HomePages</NodeName>
<DFProperties>
@ -1654,6 +1630,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PreventTurningOffRequiredExtensions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension.
When enabled, removing extensions from the list does not uninstall the extension from the users computer automatically. To uninstall the extension, use any available enterprise deployment channel.
If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
If disabled or not configured, extensions defined as part of this policy get ignored.
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
<DFProperties>
@ -8614,6 +8631,52 @@ Related policy:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Privacy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DisablePrivacyExperience</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Security</NodeName>
<DFProperties>
@ -10528,34 +10591,6 @@ Related policy:
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>ForceEnabledExtensions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue></DefaultValue>
<Description>This setting lets you decide which extensions should be always enabled.</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>ForceEnabledExtensions_List</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>ForceEnabledExtensions</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>HomePages</NodeName>
<DFProperties>
@ -10806,6 +10841,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
<MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>PreventTurningOffRequiredExtensions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue></DefaultValue>
<Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension.
When enabled, removing extensions from the list does not uninstall the extension from the users computer automatically. To uninstall the extension, use any available enterprise deployment channel.
If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
If disabled or not configured, extensions defined as part of this policy get ignored.
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>PreventTurningOffRequiredExtensions_Prompt</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>PreventTurningOffRequiredExtensions</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
<DFProperties>
@ -18546,6 +18626,54 @@ Related policy:
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Privacy</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DisablePrivacyExperience</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>OOBE.admx</MSFT:ADMXMapped>
<MSFT:ADMXCategory>OOBE~AT~WindowsComponents~OOBE</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>DisablePrivacyExperience</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Security</NodeName>
<DFProperties>
@ -22272,30 +22400,6 @@ Related policy:
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ForceEnabledExtensions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This setting lets you decide which extensions should be always enabled.</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>HomePages</NodeName>
<DFProperties>
@ -22520,6 +22624,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PreventTurningOffRequiredExtensions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension.
When enabled, removing extensions from the list does not uninstall the extension from the users computer automatically. To uninstall the extension, use any available enterprise deployment channel.
If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
If disabled or not configured, extensions defined as part of this policy get ignored.
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
<DFProperties>
@ -27063,7 +27208,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
</DFProperties>
</Node>
<Node>
<NodeName>DoNotSyncBrowserSetting</NodeName>
<NodeName>DoNotSyncBrowserSettings</NodeName>
<DFProperties>
<AccessType>
<Add />
@ -27098,7 +27243,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
<Replace />
</AccessType>
<Description>You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings.
Related policy: DoNotSyncBrowserSetting
Related policy: DoNotSyncBrowserSettings
1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing</Description>
<DFFormat>
<int/>
@ -34352,38 +34497,6 @@ Default: Disabled.</Description>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MicrosoftNetworkServer_DigitallySignCommunicationsAlways</NodeName>
<DFProperties>
@ -36623,6 +36736,30 @@ The options are:
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DisablePrivacyExperience</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnableActivityFeed</NodeName>
<DFProperties>
@ -41468,6 +41605,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowDeviceNameInDiagnosticData</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowEmbeddedMode</NodeName>
<DFProperties>
@ -44073,7 +44234,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
</DFProperties>
</Node>
<Node>
<NodeName>UpdateNotificationKioskMode</NodeName>
<NodeName>UpdateNotificationLevel</NodeName>
<DFProperties>
<AccessType>
<Add />
@ -49551,34 +49712,6 @@ Related policy:
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>ForceEnabledExtensions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue></DefaultValue>
<Description>This setting lets you decide which extensions should be always enabled.</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>ForceEnabledExtensions_List</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>ForceEnabledExtensions</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>HomePages</NodeName>
<DFProperties>
@ -49829,6 +49962,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
<MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>PreventTurningOffRequiredExtensions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue></DefaultValue>
<Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension.
When enabled, removing extensions from the list does not uninstall the extension from the users computer automatically. To uninstall the extension, use any available enterprise deployment channel.
If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
If disabled or not configured, extensions defined as part of this policy get ignored.
Default setting: Disabled or not configured
Related policies: Allow Developer Tools
Related Documents:
- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
<DFFormat>
<chr/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>PreventTurningOffRequiredExtensions_Prompt</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>PreventTurningOffRequiredExtensions</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
<DFProperties>
@ -54899,7 +55077,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
</DFProperties>
</Node>
<Node>
<NodeName>DoNotSyncBrowserSetting</NodeName>
<NodeName>DoNotSyncBrowserSettings</NodeName>
<DFProperties>
<AccessType>
<Get />
@ -54935,7 +55113,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings.
Related policy: DoNotSyncBrowserSetting
Related policy: DoNotSyncBrowserSettings
1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing</Description>
<DFFormat>
<int/>
@ -63004,41 +63182,6 @@ Default: Disabled.</Description>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>15</DefaultValue>
<Description>Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="99999"></MSFT:SupportedValues>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:GPRegistryMappedCategory>Windows Settings~Security Settings~Local Policies~Security Options</MSFT:GPRegistryMappedCategory>
<MSFT:GPRegistryMappedName>Microsoft network server: Amount of idle time required before suspending session</MSFT:GPRegistryMappedName>
<MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>MicrosoftNetworkServer_DigitallySignCommunicationsAlways</NodeName>
<DFProperties>
@ -63402,7 +63545,7 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DefaultValue>3</DefaultValue>
<Description>Network security LAN Manager authentication level
This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
@ -63455,7 +63598,7 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DefaultValue>536870912</DefaultValue>
<Description>Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@ -63493,7 +63636,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption</Description>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DefaultValue>536870912</DefaultValue>
<Description>Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@ -65452,6 +65595,34 @@ The options are:
<MSFT:ConflictResolution>LowestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>DisablePrivacyExperience</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>OOBE.admx</MSFT:ADMXMapped>
<MSFT:ADMXCategory>OOBE~AT~WindowsComponents~OOBE</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>DisablePrivacyExperience</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>EnableActivityFeed</NodeName>
<DFProperties>
@ -69810,12 +69981,12 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:SupportedValues low="0" high="3"></MSFT:SupportedValues>
<MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
<MSFT:ADMXMapped>SmartScreen.admx</MSFT:ADMXMapped>
<MSFT:ADMXCategory>SmartScreen~AT~WindowsComponents~SmartScreen~Shell</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>ConfigureAppInstallControl</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
@ -70823,6 +70994,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
<MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>AllowDeviceNameInDiagnosticData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data.</Description>
<DFFormat>
<int/>
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
<MSFT:ADMXMapped>DataCollection.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>AllowDeviceNameInDiagnosticData</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>AllowDeviceNameInDiagnosticData</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
</DFProperties>
</Node>
<Node>
<NodeName>AllowEmbeddedMode</NodeName>
<DFProperties>
@ -72934,7 +73133,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="2" high="30"></MSFT:SupportedValues>
<MSFT:SupportedValues low="0" high="30"></MSFT:SupportedValues>
<MSFT:ADMXMapped>WindowsUpdate.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>EngagedRestartTransitionSchedule</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat</MSFT:ADMXCategory>
@ -72962,7 +73161,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="2" high="30"></MSFT:SupportedValues>
<MSFT:SupportedValues low="0" high="30"></MSFT:SupportedValues>
<MSFT:ADMXMapped>WindowsUpdate.admx</MSFT:ADMXMapped>
<MSFT:ADMXMappedElement>EngagedRestartTransitionScheduleForFeatureUpdates</MSFT:ADMXMappedElement>
<MSFT:ADMXCategory>WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat</MSFT:ADMXCategory>
@ -73677,7 +73876,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
</DFProperties>
</Node>
<Node>
<NodeName>UpdateNotificationKioskMode</NodeName>
<NodeName>UpdateNotificationLevel</NodeName>
<DFProperties>
<AccessType>
<Get />
@ -73699,7 +73898,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
<MSFT:SupportedValues low="0" high="2"></MSFT:SupportedValues>
<MSFT:ADMXMapped>WindowsUpdate.admx</MSFT:ADMXMapped>
<MSFT:ADMXCategory>WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat</MSFT:ADMXCategory>
<MSFT:ADMXPolicyName>UpdateNotificationKioskMode</MSFT:ADMXPolicyName>
<MSFT:ADMXPolicyName>UpdateNotificationLevel</MSFT:ADMXPolicyName>
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties>
</Node>

2
windows/client-management/mdm/reboot-csp.md
View File

@ -41,7 +41,7 @@ The following diagram shows the Reboot configuration service provider management
<p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>
<a href="" id="schedule-dailyrecurrent"></a>**Schedule/DailyRecurrent**
<p style="margin-left: 20px">This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z</p>
<p style="margin-left: 20px">This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. </p>
<p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>

74
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/22/2018
ms.date: 08/02/2018
---
# WindowsDefenderApplicationGuard CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709.
@ -19,20 +21,19 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png)
<a href="" id="windowsdefenderapplicationguard"></a>**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Root node. Supported operation is Get.</p>
<p style="margin-left: 20px"></p>
Root node. Supported operation is Get.
<a href="" id="settings"></a>**Settings**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
<a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**
<p style="margin-left: 20px">Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Disables content copying.
- 1 - Allow text copying.
@ -40,7 +41,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
- 3 - Allow text and image copying.
<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**
<p style="margin-left: 20px">This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete</p>
This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host
@ -51,7 +52,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
<p style="margin-left: 20px">This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Disables all print functionality (default)
- 1 - Enables only XPS printing
@ -70,13 +71,13 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
- 15 - Enables all printing
<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**
<p style="margin-left: 20px">This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
- 1 (default) - Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge..
- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
<a href="" id="allowpersistence"></a>**Settings/AllowPersistence**
<p style="margin-left: 20px">This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
@ -93,29 +94,62 @@ Added in Windows 10, version 1803. This policy setting allows you to determine w
- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
<a href="" id="status"></a>**Status**
<p style="margin-left: 20px">Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
<a href="" id="filetrustcriteria"></a>**Settings/FileTrustCriteria**
Placeholder for future use. Do not use in production code.
Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
<a href="" id="filetrustoriginremovablemedia"></a>**Settings/FileTrustOriginRemovableMedia**
Placeholder for future use. Do not use in production code.
<a href="" id="filetrustoriginnetworkshare"></a>**Settings/FileTrustOriginNetworkShare**
Placeholder for future use. Do not use in production code.
<a href="" id="filetrustoriginmarkoftheweb"></a>**Settings/FileTrustOriginMarkOfTheWeb**
Placeholder for future use. Do not use in production code.
<a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**
Added in Windows 10, next major version. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer.
Example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
If you disable or dont configure this setting, certificates are not shared with the Windows Defender Application Guard container.
<a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, next major version. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the devices camera and microphone when these settings are enabled on the users device.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the users device.
If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the users device.
> [!Important]
> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
Bit 1 - Set to 1 when the client machine is Hyper-V capable
Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
Bit 3 - Set to 1 when WDAG installed on the client machine
Bit 4 - Set to 1 when required Network Isolation Policies are configured
Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
</p>
<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.</p>
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
- Install - Will initiate feature install
- Uninstall - Will initiate feature uninstall
<a href="" id="audit"></a>**Audit**
<p style="margin-left: 20px">Interior node. Supported operation is Get</p>
Interior node. Supported operation is Get
<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**
<p style="margin-left: 20px">This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.
- 0 (default) - - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.

149
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
View File

@ -6,17 +6,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/22/2018
ms.date: 08/02/2018
---
# WindowsDefenderApplicationGuard DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
This XML is for Windows 10, version 1803.
This XML is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -42,7 +44,7 @@ This XML is for Windows 10, version 1803.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.2/MDM/WindowsDefenderApplicationGuard</MIME>
<MIME>com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard</MIME>
</DFType>
</DFProperties>
<Node>
@ -248,6 +250,147 @@ This XML is for Windows 10, version 1803.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustCriteria</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustOriginRemovableMedia</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustOriginNetworkShare</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustOriginMarkOfTheWeb</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CertificateThumbprints</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowCameraMicrophoneRedirection</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>

2
windows/configuration/kiosk-additional-reference.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/30/2018
---

2
windows/configuration/kiosk-mdm-bridge.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/30/2018
---

2
windows/configuration/kiosk-policies.md
View File

@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/30/2018
ms.author: jdecker
---

2
windows/configuration/kiosk-prepare.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/30/2018
---

2
windows/configuration/kiosk-shelllauncher.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/30/2018
---

2
windows/configuration/kiosk-single-app.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/30/2018
---

2
windows/configuration/kiosk-validate.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/30/2018
---

2
windows/configuration/setup-digital-signage.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 08/03/2018
---

2
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -9,7 +9,7 @@ ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 07/20/2018
ms.localizationpriority: high
ms.localizationpriority: medium
---
# Frequently asked questions and troubleshooting Windows Analytics

6
windows/deployment/update/windows-analytics-get-started.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 07/18/2018
ms.date: 08/01/2018
ms.localizationpriority: medium
---
@ -52,9 +52,9 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health for device tickets. |
| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. |
| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. **Note:** In this context login.live.com is *not* used for access to Microsoft Account consumer services. The endpoint is used only as part of the WIndows Error Reporting protocol to enhance the integrity of error reports. |
| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
>[!NOTE]

2
windows/deployment/upgrade/setupdiag.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 07/18/2018
ms.localizationpriority: high
ms.localizationpriority: medium
---
# SetupDiag

2
windows/deployment/windows-autopilot/add-devices.md
View File

@ -4,7 +4,7 @@ description: How to add devices to Windows Autopilot
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/configure-autopilot.md
View File

@ -4,7 +4,7 @@ description: How to configure Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/enrollment-status.md
View File

@ -7,7 +7,7 @@ ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype:
ms.localizationpriority: high
ms.localizationpriority: medium
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018

2
windows/deployment/windows-autopilot/profiles.md
View File

@ -4,7 +4,7 @@ description: How to configure Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/rip-and-replace.md
View File

@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/self-deploying.md
View File

@ -7,7 +7,7 @@ ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype:
ms.localizationpriority: high
ms.localizationpriority: medium
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018

2
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -4,7 +4,7 @@ description: This topic goes over Windows Autopilot and how it helps setup OOBE
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/user-driven-aad.md
View File

@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/user-driven-hybrid.md
View File

@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/user-driven.md
View File

@ -4,7 +4,7 @@ description: Canonical Autopilot scenario
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
View File

@ -4,7 +4,7 @@ description: This topic goes over Windows Autopilot and how it helps setup OOBE
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

2
windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
View File

@ -7,7 +7,7 @@ ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype:
ms.localizationpriority: high
ms.localizationpriority: medium
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018

2
windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
View File

@ -7,7 +7,7 @@ ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype:
ms.localizationpriority: high
ms.localizationpriority: medium
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018

2
windows/deployment/windows-autopilot/windows-autopilot-reset.md
View File

@ -7,7 +7,7 @@ ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype:
ms.localizationpriority: high
ms.localizationpriority: medium
author: coreyp-at-msft
ms.author: coreyp
ms.date: 06/01/2018

2
windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
View File

@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -67,7 +67,7 @@ The Windows Hello for Business Group Policy object delivers the correct Group Po
#### Enable Windows Hello for Business
The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
@ -163,7 +163,7 @@ Users must receive the Windows Hello for Business group policy settings and have
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

2
windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md
View File

@ -48,5 +48,5 @@ While Windows Defender System Guard provides advanced protection that will help
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)
![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

2
windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
View File

@ -26,7 +26,7 @@ When a service connects with the device identity, signing and encryption are sup
### Possible values
| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
| - | - |
| - | - | - |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.|
|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.|

7
windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 09/21/2017
ms.date: 08/02/2018
---
# Delete an AppLocker rule
@ -16,7 +16,7 @@ ms.date: 09/21/2017
- Windows 10
- Windows Server
This topic for IT professionals describes the steps to delete an AppLocker rule.
This topic for IT professionals describes the steps to delete an AppLocker rule.
As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
@ -25,6 +25,8 @@ For info about testing an AppLocker policy to see what rules affect which files
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer
AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings.
**To delete a rule in an AppLocker policy**
1. Open the AppLocker console.
@ -43,6 +45,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules:

2
windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/16/2018
---

2
windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/25/2018
---

2
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/01/2018
---

2
windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.localizationpriority: medium
ms.date: 07/01/2018
---