deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-5400951-part6

Browse Source
This commit is contained in:
Nimisha Satapathy 2021-10-01 11:10:28 +05:30 committed by GitHub
commit 51caa52ff7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
55 changed files with 2602 additions and 1400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -896,6 +896,7 @@ ms.date: 10/08/2020
- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) - [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl)
- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) - [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures)
- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) - [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace)
- [ADMX_Radar/WdiScenarioExecutionPolicy](./policy-csp-admx-radar.md#admx-radar-wdiscenarioexecutionpolicy)
- [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp)
- [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents)
- [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile)
@ -953,12 +954,17 @@ ms.date: 10/08/2020
- [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) - [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected)
- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy)
- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy)
- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy)
- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) - [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1)
- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) - [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2)
- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) - [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1)
- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1)
- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2)
- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page)
- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate)
- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks)
- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager)
- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) - [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync)
- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) - [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync)
@ -996,8 +1002,6 @@ ms.date: 10/08/2020
- [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities)
- [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers)
- [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public)
- [ADMX_srmfci/EnableShellAccessCheck](./policy-csp-admx-srmfci.md#admx-srmfci-enableshellaccesscheck)
- [ADMX_srmfci/AccessDeniedConfiguration](./policy-csp-admx-srmfci.md#admx-srmfci-accessdeniedconfiguration)
- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) - [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu)
- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) - [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit)
- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) - [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu)

41
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -3199,6 +3199,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd> </dd>
</dl> </dl>
### ADMX_Radar policies
<dl>
<dd>
<a href="./policy-csp-admx-radar.md#admx-radar-wdiscenarioexecutionpolicy" id="admx-radar-wdiscenarioexecutionpolicy">ADMX_Radar/WdiScenarioExecutionPolicy</a>
</dd>
<dl>
### ADMX_Reliability policies ### ADMX_Reliability policies
<dl> <dl>
@ -3386,6 +3393,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd> </dd>
</dl> </dl>
### ADMX_sdiagschd policies
<dl>
<dd>
<a href="./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy" id="admx-sdiagschd-scheduleddiagnosticsexecutionpolicy">ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy</a>
</dd>
<dl>
### ADMX_sdiageng policies ### ADMX_sdiageng policies
<dl> <dl>
@ -3428,6 +3443,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd> </dd>
</dl> </dl>
### ADMX_ServerManager policies
</dl>
<dd>
<a href="./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page" id="admx-servermanager-do_not_display_manage_your_server_page">ADMX_ServerManager/Do_not_display_Manage_Your_Server_page</a>
</dd>
<dd>
<a href="./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate" id="admx-servermanager-servermanagerautorefreshrate">ADMX_ServerManager/ServerManagerAutoRefreshRate</a>
</dd>
<dd>
<a href="./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks" id="admx-servermanager-donotlaunchinitialconfigurationtasks">ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks</a>
</dd>
<dd>
<a href="./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager" id="admx-servermanager-donotlaunchservermanager">ADMX_ServerManager/DoNotLaunchServerManager</a>
</dd>
</dl>
### ADMX_Servicing policies ### ADMX_Servicing policies
<dl> <dl>
@ -3578,15 +3610,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<a href="./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public" id="admx-snmp-snmp-traps-public">ADMX_Snmp/SNMP_Traps_Public</a> <a href="./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public" id="admx-snmp-snmp-traps-public">ADMX_Snmp/SNMP_Traps_Public</a>
</dd> </dd>
</dl> </dl>
### ADMX_srmfci policies
<dl>
<dd>
<a href="./policy-csp-admx-srmfci.md#admx-srmfci-enableshellaccesscheck" id="admx-srmfci-enableshellaccesscheck">ADMX_srmfci/EnableShellAccessCheck</a>
</dd>
<dd>
<a href="./policy-csp-admx-srmfci.md#admx-srmfci-accessdeniedconfiguration" id="admx-srmfci-accessdeniedconfiguration">ADMX_srmfci/AccessDeniedConfiguration</a>
</dd> </dd>
<dl> <dl>

38
windows/client-management/mdm/policy-csp-admx-datacollection.md
View File

@ -13,14 +13,19 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_DataCollection # Policy CSP - ADMX_DataCollection
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/> <hr/>
<!--Policies--> <!--Policies-->
## ADMX_DataCollection policies ## ADMX_DataCollection policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<dl> <dl>
<dd> <dd>
<a href="#admx-datacollection-commercialidpolicy">ADMX_DataCollection/CommercialIdPolicy</a> <a href="#admx-datacollection-commercialidpolicy">ADMX_DataCollection/CommercialIdPolicy</a>
@ -36,28 +41,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -74,19 +85,14 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this devices telemetry data as belonging to a given organization. This policy setting defines the identifier used to uniquely associate this devices telemetry data as belonging to a given organization.
If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:

847
windows/client-management/mdm/policy-csp-admx-desktop.md
View File

File diff suppressed because it is too large Load Diff

243
windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_DeviceInstallation # Policy CSP - ADMX_DeviceInstallation
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -57,28 +62,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -95,19 +106,14 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -126,28 +132,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -164,19 +176,14 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation.
If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -195,28 +202,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -233,19 +246,14 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation.
If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -264,28 +272,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -302,19 +316,14 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete.
If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation.
If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -333,28 +342,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -371,7 +386,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot.
@ -380,12 +395,7 @@ If you disable or do not configure this policy setting, the system does not forc
Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -404,28 +414,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -442,18 +458,13 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -472,28 +483,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -510,19 +527,14 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity.
If you enable this policy setting, Windows does not create a system restore point when one would normally be created. If you enable this policy setting, Windows does not create a system restore point when one would normally be created.
If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -541,28 +553,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -579,7 +597,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system.
If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.
@ -587,12 +605,7 @@ If you disable or do not configure this policy setting, only members of the Admi
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -605,6 +618,4 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

68
windows/client-management/mdm/policy-csp-admx-devicesetup.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_DeviceSetup # Policy CSP - ADMX_DeviceSetup
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -39,28 +44,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -77,19 +88,14 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. This policy setting allows you to turn off "Found New Hardware" balloons during device installation.
If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.
If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -108,28 +114,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -146,7 +158,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. This policy setting allows you to specify the order in which Windows searches source locations for device drivers.
If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all.
@ -155,12 +167,6 @@ Note that searching always implies that Windows will attempt to search Windows U
If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -173,7 +179,5 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

69
windows/client-management/mdm/policy-csp-admx-digitallocker.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_DigitalLocker # Policy CSP - ADMX_DigitalLocker
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -39,28 +44,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -77,7 +88,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
@ -86,12 +97,7 @@ If you enable this setting, Digital Locker will not run.
If you disable or do not configure this setting, Digital Locker can be run. If you disable or do not configure this setting, Digital Locker can be run.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -110,28 +116,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -148,7 +160,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
@ -157,12 +169,7 @@ If you enable this setting, Digital Locker will not run.
If you disable or do not configure this setting, Digital Locker can be run. If you disable or do not configure this setting, Digital Locker can be run.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -175,8 +182,6 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

39
windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_DistributedLinkTracking # Policy CSP - ADMX_DistributedLinkTracking
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -36,28 +41,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -74,7 +85,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.
The DLT client can more reliably track links when allowed to use the DLT server. The DLT client can more reliably track links when allowed to use the DLT server.
This policy should not be set unless the DLT server is running on all domain controllers in the domain. This policy should not be set unless the DLT server is running on all domain controllers in the domain.
@ -83,12 +94,6 @@ This policy should not be set unless the DLT server is running on all domain con
> This policy setting applies to all sites in Trusted zones. > This policy setting applies to all sites in Trusted zones.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -101,8 +106,6 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

646
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

File diff suppressed because it is too large Load Diff

184
windows/client-management/mdm/policy-csp-admx-dwm.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_DWM # Policy CSP - ADMX_DWM
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -51,28 +56,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -89,7 +100,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. This policy setting controls the default color for window frames when the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
@ -99,12 +110,6 @@ If you disable or do not configure this policy setting, the default internal col
> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -124,28 +129,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -162,7 +173,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. This policy setting controls the default color for window frames when the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
@ -172,12 +183,7 @@ If you disable or do not configure this policy setting, the default internal col
> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -196,28 +202,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -234,7 +246,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
If you enable this policy setting, window animations are turned off. If you enable this policy setting, window animations are turned off.
@ -243,12 +255,7 @@ If you disable or do not configure this policy setting, window animations are tu
Changing this policy setting requires a logoff for it to be applied. Changing this policy setting requires a logoff for it to be applied.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -267,28 +274,33 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
</tr> <td>No</td>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -305,7 +317,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
If you enable this policy setting, window animations are turned off. If you enable this policy setting, window animations are turned off.
@ -314,12 +326,7 @@ If you disable or do not configure this policy setting, window animations are tu
Changing this policy setting requires a logoff for it to be applied. Changing this policy setting requires a logoff for it to be applied.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -338,28 +345,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -376,7 +389,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color. If you enable this policy setting, you prevent users from changing the default window frame color.
@ -386,12 +399,7 @@ If you disable or do not configure this policy setting, you allow users to chang
> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -410,28 +418,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -448,7 +462,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color. If you enable this policy setting, you prevent users from changing the default window frame color.
@ -458,12 +472,6 @@ If you disable or do not configure this policy setting, you allow users to chang
> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -476,7 +484,5 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

361
windows/client-management/mdm/policy-csp-admx-eaime.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_EAIME # Policy CSP - ADMX_EAIME
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -69,29 +74,33 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
</tr> <td>No</td>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
</tr> <td>Yes</td>
</table> </table>
<!--/SupportedSKUs--> <!--/SupportedSKUs-->
@ -107,7 +116,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists.
If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists.
@ -119,12 +128,7 @@ This policy setting applies to Japanese Microsoft IME only.
> Changes to this setting will not take effect until the user logs off. > Changes to this setting will not take effect until the user logs off.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -143,28 +147,33 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
</tr> <td>No</td>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -181,7 +190,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. This policy setting allows you to restrict character code range of conversion by setting character filter.
If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values:
@ -205,12 +214,7 @@ This policy setting applies to Japanese Microsoft IME only.
> Changes to this setting will not take effect until the user logs off. > Changes to this setting will not take effect until the user logs off.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -229,28 +233,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -267,7 +277,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. This policy setting allows you to turn off the ability to use a custom dictionary.
If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion.
@ -281,12 +291,7 @@ This policy setting is applied to Japanese Microsoft IME.
> Changes to this setting will not take effect until the user logs off. > Changes to this setting will not take effect until the user logs off.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -305,28 +310,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -343,7 +354,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. This policy setting allows you to turn off history-based predictive input.
If you enable this policy setting, history-based predictive input is turned off. If you enable this policy setting, history-based predictive input is turned off.
@ -355,12 +366,6 @@ This policy setting applies to Japanese Microsoft IME only.
> Changes to this setting will not take effect until the user logs off. > Changes to this setting will not take effect until the user logs off.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -379,28 +384,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -417,7 +428,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. This policy setting allows you to turn off Internet search integration.
Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME.
@ -431,12 +442,7 @@ This policy setting applies to Japanese Microsoft IME.
> Changes to this setting will not take effect until the user logs off. > Changes to this setting will not take effect until the user logs off.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -455,28 +461,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -493,7 +505,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. This policy setting allows you to turn off Open Extended Dictionary.
If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary.
@ -504,12 +516,7 @@ If you disable or do not configure this policy setting, Open Extended Dictionary
This policy setting is applied to Japanese Microsoft IME. This policy setting is applied to Japanese Microsoft IME.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -528,28 +535,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -566,7 +579,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. This policy setting allows you to turn off saving the auto-tuning result to file.
If you enable this policy setting, the auto-tuning data is not saved to file. If you enable this policy setting, the auto-tuning data is not saved to file.
@ -575,12 +588,7 @@ If you disable or do not configure this policy setting, auto-tuning data is save
This policy setting applies to Japanese Microsoft IME only. This policy setting applies to Japanese Microsoft IME only.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -599,28 +607,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -637,7 +651,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
@ -648,12 +662,7 @@ If you don't configure this policy setting, it will be turned off by default, an
This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -672,28 +681,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -710,7 +725,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
@ -721,12 +736,7 @@ If you don't configure this policy setting, it will be turned off by default, an
This Policy setting applies only to Microsoft CHS Pinyin IME. This Policy setting applies only to Microsoft CHS Pinyin IME.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -745,28 +755,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -783,7 +799,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC.
If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings.
@ -794,12 +810,7 @@ If you don't configure this policy setting, it will be turned on by default, and
This Policy setting applies only to Microsoft CHS Pinyin IME. This Policy setting applies only to Microsoft CHS Pinyin IME.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -818,28 +829,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -856,7 +873,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. This policy setting controls the live sticker feature, which uses an online service to provide stickers online.
If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off.
@ -867,12 +884,7 @@ If you don't configure this policy setting, it will be turned off by default, an
This Policy setting applies only to Microsoft CHS Pinyin IME. This Policy setting applies only to Microsoft CHS Pinyin IME.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -891,28 +903,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -929,7 +947,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. This policy setting allows you to turn on logging of misconversion for the misconversion report.
If you enable this policy setting, misconversion logging is turned on. If you enable this policy setting, misconversion logging is turned on.
@ -938,12 +956,7 @@ If you disable or do not configure this policy setting, misconversion logging is
This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -956,7 +969,5 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

40
windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_EncryptFilesonMove # Policy CSP - ADMX_EncryptFilesonMove
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -36,28 +41,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -74,7 +85,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.
@ -83,12 +94,7 @@ If you disable or do not configure this policy setting, File Explorer automatica
This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -101,8 +107,6 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

180
windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
View File

@ -13,8 +13,13 @@ manager: dansimp
--- ---
# Policy CSP - ADMX_EnhancedStorage # Policy CSP - ADMX_EnhancedStorage
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
@ -51,28 +56,34 @@ manager: dansimp
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -89,19 +100,13 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer.
If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer.
If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -120,28 +125,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -158,19 +169,13 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.
If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.
If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -189,28 +194,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -227,19 +238,13 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.
If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device.
If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -258,28 +263,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -296,19 +307,13 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.
If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer.
If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -327,28 +332,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -365,7 +376,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. This policy setting locks Enhanced Storage devices when the computer is locked.
This policy setting is supported in Windows Server SKUs only. This policy setting is supported in Windows Server SKUs only.
@ -374,12 +385,6 @@ If you enable this policy setting, the Enhanced Storage device remains locked wh
If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -398,28 +403,34 @@ ADMX Info:
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>
<th>Windows Edition</th> <th>Edition</th>
<th>Supported?</th> <th>Windows 10</th>
<th>Windows 11</th>
</tr> </tr>
<tr> <tr>
<td>Home</td> <td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Pro</td> <td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Business</td> <td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>No</td>
<td>No</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise</td> <td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
<tr> <tr>
<td>Education</td> <td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td>Yes</td>
<td>Yes</td>
</tr> </tr>
</table> </table>
@ -436,19 +447,13 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device.
If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed.
If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
<!--/Description--> <!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
@ -461,8 +466,5 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies--> <!--/Policies-->

114
windows/client-management/mdm/policy-csp-admx-radar.md Normal file
View File

@ -0,0 +1,114 @@
---
title: Policy CSP - ADMX_Radar
description: Policy CSP - ADMX_Radar
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 12/08/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_Radar
<hr/>
<!--Policies-->
## ADMX_Radar policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<dl>
<dd>
<a href="#admx-radar-wdiscenarioexecutionpolicy">ADMX_Radar/WdiScenarioExecutionPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-radar-wdiscenarioexecutionpolicy"></a>**ADMX_Radar/WdiScenarioExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution.
- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes.
These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available.
- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS.
If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Scenario Execution Level*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution*
- GP ADMX file name: *Radar.admx*
<hr/>
<!--/ADMXBacked-->
<!--/Policy-->
<!--/Policies-->

114
windows/client-management/mdm/policy-csp-admx-sdiagschd.md Normal file
View File

@ -0,0 +1,114 @@
---
title: Policy CSP - ADMX_sdiagschd
description: Policy CSP - ADMX_sdiagschd
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/17/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_sdiagschd
<hr/>
<!--Policies-->
## ADMX_sdiagschd policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<dl>
<dd>
<a href="#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy">ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-sdiagschd-scheduleddiagnosticsexecutionpolicy"></a>**ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems.
- If you enable this policy setting, you must choose an execution level.
If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution.
If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input.
- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis.
If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Scheduled Maintenance Behavior*
- GP name: *ScheduledDiagnosticsExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance*
- GP ADMX file name: *sdiagschd.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

341
windows/client-management/mdm/policy-csp-admx-servermanager.md Normal file
View File

@ -0,0 +1,341 @@
---
title: Policy CSP - ADMX_ServerManager
description: Policy CSP - ADMX_ServerManager
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/18/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_ServerManager
<hr/>
<!--Policies-->
## ADMX_ServerManager policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<dl>
<dd>
<a href="#admx-servermanager-do_not_display_manage_your_server_page">ADMX_ServerManager/Do_not_display_Manage_Your_Server_page</a>
</dd>
<dd>
<a href="#admx-servermanager-servermanagerautorefreshrate">ADMX_ServerManager/ServerManagerAutoRefreshRate</a>
</dd>
<dd>
<a href="#admx-servermanager-donotlaunchinitialconfigurationtasks">ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks</a>
</dd>
<dd>
<a href="#admx-servermanager-donotlaunchservermanager">ADMX_ServerManager/DoNotLaunchServerManager</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-servermanager-do_not_display_manage_your_server_page"></a>**ADMX_ServerManager/Do_not_display_Manage_Your_Server_page**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn off the automatic display of Server Manager at logon.
- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server.
- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server.
If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon.
> [!NOTE]
> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not display Server Manager automatically at logon*
- GP name: *Do_not_display_Manage_Your_Server_page*
- GP path: *System\Server Manager*
- GP ADMX file name: *ServerManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-servermanager-servermanagerautorefreshrate"></a>**ADMX_ServerManager/ServerManagerAutoRefreshRate**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers.
- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console.
- If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console.
> [!NOTE]
> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure the refresh interval for Server Manager*
- GP name: *ServerManagerAutoRefreshRate*
- GP path: *System\Server Manager*
- GP ADMX file name: *ServerManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-servermanager-donotlaunchinitialconfigurationtasks"></a>**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2.
- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server.
- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server.
If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon*
- GP name: *DoNotLaunchInitialConfigurationTasks*
- GP path: *System\Server Manager*
- GP ADMX file name: *ServerManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-servermanager-donotlaunchservermanager"></a>**ADMX_ServerManager/DoNotLaunchServerManager**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn off the automatic display of the Manage Your Server page.
- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server.
- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server.
However, if the administrator has selected the "Dont display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not display Manage Your Server page at logon*
- GP name: *DoNotLaunchServerManager*
- GP path: *System\Server Manager*
- GP ADMX file name: *ServerManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<!--/Policies-->

181
windows/client-management/mdm/policy-csp-admx-soundrec.md Normal file
View File

@ -0,0 +1,181 @@
---
title: Policy CSP - ADMX_SoundRec
description: Policy CSP - ADMX_SoundRec
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 12/01/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_SoundRec
<hr/>
<!--Policies-->
## ADMX_SoundRec policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<dl>
<dd>
<a href="#admx-soundrec-soundrec_diableapplication_titletext_1">ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1</a>
</dd>
<dd>
<a href="#admx-soundrec-soundrec_diableapplication_titletext_2">ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-soundrec-soundrec_diableapplication_titletext_1"></a>**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.
If you enable this policy setting, Sound Recorder will not run.
If you disable or do not configure this policy setting, Sound Recorder can be run.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow Sound Recorder to run*
- GP name: *Soundrec_DiableApplication_TitleText_1*
- GP path: *Windows Components\Sound Recorder*
- GP ADMX file name: *SettingSync.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-soundrec-soundrec_diableapplication_titletext_2"></a>**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.
If you enable this policy setting, Sound Recorder will not run.
If you disable or do not configure this policy setting, Sound Recorder can be run.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow Sound Recorder to run*
- GP name: *Soundrec_DiableApplication_TitleText_2*
- GP path: *Windows Components\Sound Recorder*
- GP ADMX file name: *SettingSync.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

8
windows/client-management/mdm/toc.yml
View File

@ -567,6 +567,8 @@ items:
href: policy-csp-admx-printing2.md href: policy-csp-admx-printing2.md
- name: ADMX_Programs - name: ADMX_Programs
href: policy-csp-admx-programs.md href: policy-csp-admx-programs.md
- name: ADMX_Radar
href: policy-csp-admx-radar.md
- name: ADMX_Reliability - name: ADMX_Reliability
href: policy-csp-admx-reliability.md href: policy-csp-admx-reliability.md
- name: ADMX_RemoteAssistance - name: ADMX_RemoteAssistance
@ -579,10 +581,14 @@ items:
href: policy-csp-admx-scripts.md href: policy-csp-admx-scripts.md
- name: ADMX_sdiageng - name: ADMX_sdiageng
href: policy-csp-admx-sdiageng.md href: policy-csp-admx-sdiageng.md
- name: ADMX_sdiagschd
href: policy-csp-admx-sdiagschd.md
- name: ADMX_Securitycenter - name: ADMX_Securitycenter
href: policy-csp-admx-securitycenter.md href: policy-csp-admx-securitycenter.md
- name: ADMX_Sensors - name: ADMX_Sensors
href: policy-csp-admx-sensors.md href: policy-csp-admx-sensors.md
- name: ADMX_ServerManager
href: policy-csp-admx-servermanager.md
- name: ADMX_Servicing - name: ADMX_Servicing
href: policy-csp-admx-servicing.md href: policy-csp-admx-servicing.md
- name: ADMX_SettingSync - name: ADMX_SettingSync
@ -599,8 +605,6 @@ items:
href: policy-csp-admx-smartcard.md href: policy-csp-admx-smartcard.md
- name: ADMX_Snmp - name: ADMX_Snmp
href: policy-csp-admx-snmp.md href: policy-csp-admx-snmp.md
- name: ADMX_srmfci
href: policy-csp-admx-srmfci.md
- name: ADMX_StartMenu - name: ADMX_StartMenu
href: policy-csp-admx-startmenu.md href: policy-csp-admx-startmenu.md
- name: ADMX_SystemRestore - name: ADMX_SystemRestore

2
windows/deployment/update/delivery-optimization-workflow.md
View File

@ -40,5 +40,5 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r
| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id | | kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id |
| cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id | | cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id <br> **CacheHost**: Cache host id |
| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionId**: Client partitioning hint <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id | | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionId**: Client partitioning hint <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **eId**: Client grouping Id |
| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **PeerId**: Identified of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eId**: Client grouping Id | | array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogId**: If ContentId isn't available, use the download URL instead <br> **PeerId**: Identity of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eId**: Client grouping Id |
| dl.delivery.mp.microsoft.com <br> emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | | dl.delivery.mp.microsoft.com <br> emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |

269
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -80,7 +80,9 @@ To include the on-premises distinguished name in the certificate's subject, Azur
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
1. Open **Synchronization Services** from the **Azure AD Connect** folder. 1. Open **Synchronization Services** from the **Azure AD Connect** folder.
2. In the **Synchronization Service Manager**, click **Help** and then click **About**. 2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version. 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized ### Verify the onPremisesDistinguishedName attribute is synchronized
@ -88,9 +90,13 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad
The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
2. Click **Login** and provide Azure credentials 2. Click **Login** and provide Azure credentials
3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png)
## Prepare the Network Device Enrollment Services (NDES) Service Account ## Prepare the Network Device Enrollment Services (NDES) Service Account
@ -102,9 +108,13 @@ The deployment uses the **NDES Servers** security group to assign the NDES servi
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**. 1. Open **Active Directory Users and Computers**.
2. Expand the domain node from the navigation pane. 2. Expand the domain node from the navigation pane.
3. Right-click the **Users** container. Hover over **New** and click **Group**. 3. Right-click the **Users** container. Hover over **New** and click **Group**.
4. Type **NDES Servers** in the **Group Name** text box. 4. Type **NDES Servers** in the **Group Name** text box.
5. Click **OK**. 5. Click **OK**.
### Add the NDES server to the NDES Servers global security group ### Add the NDES server to the NDES Servers global security group
@ -112,8 +122,11 @@ Sign-in to a domain controller or management workstation with access equivalent
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**. 1. Open **Active Directory Users and Computers**.
2. Expand the domain node from the navigation pane. 2. Expand the domain node from the navigation pane.
3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group**.
4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
> [!NOTE] > [!NOTE]
@ -126,8 +139,11 @@ The Network Device Enrollment Services (NDES) role runs under a service account.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. In the navigation pane, expand the node that has your domain name. Select **Users**. 1. In the navigation pane, expand the node that has your domain name. Select **Users**.
2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**. 2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**.
3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**. 3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**.
4. Click **Finish**. 4. Click **Finish**.
> [!IMPORTANT] > [!IMPORTANT]
@ -140,15 +156,25 @@ The Group Policy object ensures the NDES Service account has the proper user rig
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc) 1. Start the **Group Policy Management Console** (gpmc.msc)
2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click **Group Policy object** and select **New**. 3. Right-click **Group Policy object** and select **New**.
4. Type **NDES Service Rights** in the name box and click **OK**. 4. Type **NDES Service Rights** in the name box and click **OK**.
5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**. 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**. 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**. 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times.
11. Close the **Group Policy Management Editor**. 11. Close the **Group Policy Management Editor**.
### Configure security for the NDES Service User Rights Group Policy object ### Configure security for the NDES Service User Rights Group Policy object
@ -158,10 +184,15 @@ The best way to deploy the **NDES Service User Rights** Group Policy object is t
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc) 1. Start the **Group Policy Management Console** (gpmc.msc)
2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Double-click the **NDES Service User Rights** Group Policy object. 3. Double-click the **NDES Service User Rights** Group Policy object.
4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**. 4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**.
5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. 5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. 6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
### Deploy the NDES Service User Rights Group Policy object ### Deploy the NDES Service User Rights Group Policy object
@ -171,7 +202,9 @@ The application of the **NDES Service User Rights** Group Policy object uses sec
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc) 1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
> [!IMPORTANT] > [!IMPORTANT]
@ -197,7 +230,7 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad
1. Open an elevated command prompt and type the following command: 1. Open an elevated command prompt and type the following command:
``` ```console
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
``` ```
@ -210,18 +243,26 @@ NDES uses a server authentication certificate to authenticate the server endpoin
Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console. 1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**. 2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**. 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE] > [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab. > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
5. On the **Subject** tab, select **Supply in the request**. 5. On the **Subject** tab, select **Supply in the request**.
6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
7. On the **Security** tab, click **Add**. 7. On the **Security** tab, click **Add**.
8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. 8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
10. Click on the **Apply** to save changes and close the console. 10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template ### Create an Azure AD joined Windows Hello for Business authentication certificate template
@ -231,20 +272,30 @@ During Windows Hello for Business provisioning, Windows requests an authenticat
Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console. 1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**. 2. Right-click **Certificate Templates** and click **Manage**.
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE] > [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Subject** tab, select **Supply in the request**. 8. On the **Subject** tab, select **Supply in the request**.
9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
12. Close the console. 12. Close the console.
### Publish certificate templates ### Publish certificate templates
@ -257,10 +308,15 @@ The certificate authority may only issue certificates for certificate templates
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console. 1. Open the **Certificate Authority** management console.
2. Expand the parent node from the navigation pane. 2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane. 3. Click **Certificate Templates** in the navigation pane.
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. Close the console. 6. Close the console.
## Install and Configure the NDES Role ## Install and Configure the NDES Role
@ -282,18 +338,31 @@ Install the Network Device Enrollment Service role on a computer other than the
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open **Server Manager** on the NDES server. 1. Open **Server Manager** on the NDES server.
2. Click **Manage**. Click **Add Roles and Features**. 2. Click **Manage**. Click **Add Roles and Features**.
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png) ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png)
4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png) ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png)
Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png)
![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png)
5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. 5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png) ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png)
6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**. 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
7. Click **Next** on the **Web Server Role (IIS)** page. 7. Click **Next** on the **Web Server Role (IIS)** page.
8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
- **Web Server > Security > Request Filtering** - **Web Server > Security > Request Filtering**
@ -303,10 +372,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
- **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
> [!IMPORTANT] > [!IMPORTANT]
> .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\ > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png)
![.NET Side by Side.](images/aadjcert/dotnet35sidebyside.png)
### Configure the NDES service account ### Configure the NDES service account
@ -317,8 +389,11 @@ This task adds the NDES service account to the local IIS_USRS group. The task a
Sign-in the NDES server with access equivalent to _local administrator_. Sign-in the NDES server with access equivalent to _local administrator_.
1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group. 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box. 3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
4. Close the management console. 4. Close the management console.
#### Register a Service Principal Name on the NDES Service account #### Register a Service Principal Name on the NDES Service account
@ -326,13 +401,16 @@ Sign-in the NDES server with access equivalent to _local administrator_.
Sign-in the NDES server with access equivalent to _Domain Admins_. Sign-in the NDES server with access equivalent to _Domain Admins_.
1. Open an elevated command prompt. 1. Open an elevated command prompt.
2. Type the following command to register the service principal name 2. Type the following command to register the service principal name
``` ```console
setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
``` ```
where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following:
```
```console
setspn -s http/ndes.corp.contoso.com contoso\ndessvc setspn -s http/ndes.corp.contoso.com contoso\ndessvc
``` ```
@ -348,17 +426,29 @@ The NDES service enrolls certificates on behalf of users. Therefore, you want t
Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers** 1. Open **Active Directory Users and Computers**
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png) ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png)
3. Select **Trust this user for delegation to specified services only**. 3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**. 4. Select **Use any authentication protocol**.
5. Click **Add**. 5. Click **Add**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**.
![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png) ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
10. Click **OK**. Close **Active Directory Users and Computers**. 10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates ### Configure the NDES Role and Certificate Templates
@ -375,18 +465,31 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) ![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
1. Click the **Configure Active Directory Certificate Services on the destination server** link. 1. Click the **Configure Active Directory Certificate Services on the destination server** link.
2. On the **Credentials** page, click **Next**. 2. On the **Credentials** page, click **Next**.
![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png) ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png)
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
![NDES Role Services.](images/aadjcert/ndesconfig02.png) ![NDES Role Services.](images/aadjcert/ndesconfig02.png)
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png) ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png)
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
![NDES CA selection.](images/aadjcert/ndesconfig04.png) ![NDES CA selection.](images/aadjcert/ndesconfig04.png)
6. On the **RA Information**, click **Next**. 6. On the **RA Information**, click **Next**.
7. On the **Cryptography for NDES** page, click **Next**. 7. On the **Cryptography for NDES** page, click **Next**.
8. Review the **Confirmation** page. Click **Configure**. 8. Review the **Confirmation** page. Click **Configure**.
![NDES Confirmation.](images/aadjcert/ndesconfig05.png) ![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
9. Click **Close** after the configuration completes. 9. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES #### Configure Certificate Templates on NDES
@ -412,18 +515,23 @@ If the need arises, you can configure a signature certificate in the encryption
Sign-in to the NDES Server with _local administrator_ equivalent credentials. Sign-in to the NDES Server with _local administrator_ equivalent credentials.
1. Open an elevated command prompt. 1. Open an elevated command prompt.
2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
3. Type the following command: 3. Type the following command:
``` ```console
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
``` ```
where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
```
```console
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
``` ```
4. Type **Y** when the command asks for permission to overwrite the existing value. 4. Type **Y** when the command asks for permission to overwrite the existing value.
5. Close the command prompt. 5. Close the command prompt.
> [!IMPORTANT] > [!IMPORTANT]
@ -444,21 +552,34 @@ Connector group automatically round-robin, load balance the Azure AD Application
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**. 3. Under **MANAGE**, click **Application proxy**.
4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain. 4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
> [!IMPORTANT] > [!IMPORTANT]
> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**. 6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png) ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png) ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png) ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group #### Create a Connector Group
@ -466,12 +587,19 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**. 3. Under **MANAGE**, click **Application proxy**.
![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
6. Click **Save**. 6. Click **Save**.
#### Create the Azure Application Proxy #### Create the Azure Application Proxy
@ -479,17 +607,29 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**. 3. Under **MANAGE**, click **Application proxy**.
4. Click **Configure an app**. 4. Click **Configure an app**.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). 7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png) ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
8. Select **Passthrough** from the **Pre Authentication** list. 8. Select **Passthrough** from the **Pre Authentication** list.
9. Select **NDES WHFB Connectors** from the **Connector Group** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list.
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
11. Click **Add**. 11. Click **Add**.
12. Sign-out of the Azure Portal. 12. Sign-out of the Azure Portal.
> [!IMPORTANT] > [!IMPORTANT]
@ -502,16 +642,27 @@ This task enrolls a client and server authentication certificate used by the Int
Sign-in the NDES server with access equivalent to _local administrators_. Sign-in the NDES server with access equivalent to _local administrators_.
1. Start the Local Computer **Certificate Manager** (certlm.msc). 1. Start the Local Computer **Certificate Manager** (certlm.msc).
2. Expand the **Personal** node in the navigation pane. 2. Expand the **Personal** node in the navigation pane.
3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
4. Click **Next** on the **Before You Begin** page. 4. Click **Next** on the **Before You Begin** page.
5. Click **Next** on the **Select Certificate Enrollment Policy** page. 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
10. Click **Enroll** 10. Click **Enroll**
11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. 11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
### Configure the Web Server Role ### Configure the Web Server Role
@ -521,15 +672,25 @@ This task configures the Web Server role on the NDES server to use the server au
Sign-in the NDES server with access equivalent to _local administrator_. Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
![NDES IIS Console](images/aadjcert/ndes-iis-console.png) ![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
3. Click **Bindings...*** under **Actions**. Click **Add**.
3. Click **Bindings...** under **Actions**. Click **Add**.
![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png) ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png) ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
6. Select **http** from the **Site Bindings** list. Click **Remove**. 6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box. 7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**. 8. Close **Internet Information Services (IIS) Manager**.
### Verify the configuration ### Verify the configuration
@ -541,18 +702,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
#### Disable Internet Explorer Enhanced Security Configuration #### Disable Internet Explorer Enhanced Security Configuration
1. Open **Server Manager**. Click **Local Server** from the navigation pane. 1. Open **Server Manager**. Click **Local Server** from the navigation pane.
2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**.
4. Close **Server Manager**. 4. Close **Server Manager**.
#### Test the NDES web server #### Test the NDES web server
1. Open **Internet Explorer**. 1. Open **Internet Explorer**.
2. In the navigation bar, type 2. In the navigation bar, type
``` ```https
https://[fqdnHostName]/certsrv/mscep/mscep.dll https://[fqdnHostName]/certsrv/mscep/mscep.dll
``` ```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source.
@ -560,6 +726,7 @@ A web page similar to the following should appear in your web browser. If you d
![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png) ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
Confirm the web site uses the server authentication certificate. Confirm the web site uses the server authentication certificate.
![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png) ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png)
## Configure Network Device Enrollment Services to work with Microsoft Intune ## Configure Network Device Enrollment Services to work with Microsoft Intune
@ -575,23 +742,34 @@ Sign-in the NDES server with access equivalent to _local administrator_.
#### Configure the Default Web Site #### Configure the Default Web Site
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png) ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png)
4. Select **Allow unlisted file name extensions**. 4. Select **Allow unlisted file name extensions**.
5. Select **Allow unlisted verbs**. 5. Select **Allow unlisted verbs**.
6. Select **Allow high-bit characters**. 6. Select **Allow high-bit characters**.
7. Type **30000000** in **Maximum allowed content length (Bytes)**. 7. Type **30000000** in **Maximum allowed content length (Bytes)**.
8. Type **65534** in **Maximum URL length (Bytes)**. 8. Type **65534** in **Maximum URL length (Bytes)**.
9. Type **65534** in **Maximum query string (Bytes)**. 9. Type **65534** in **Maximum query string (Bytes)**.
10. Click **OK**. Close **Internet Information Services (IIS) Manager**. 10. Click **OK**. Close **Internet Information Services (IIS) Manager**.
#### Configure Parameters for HTTP.SYS #### Configure Parameters for HTTP.SYS
1. Open an elevated command prompt. 1. Open an elevated command prompt.
2. Run the following commands: 2. Run the following commands:
``` ```console
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
``` ```
@ -607,10 +785,15 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
![Intune Certificate Authority.](images/aadjcert/profile01.png) ![Intune Certificate Authority.](images/aadjcert/profile01.png)
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
5. Sign-out of the Microsoft Endpoint Manager admin center. 5. Sign-out of the Microsoft Endpoint Manager admin center.
### Install the Intune Certificate Connector ### Install the Intune Certificate Connector
@ -618,27 +801,39 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in the NDES server with access equivalent to _domain administrator_. Sign-in the NDES server with access equivalent to _domain administrator_.
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
3. On the **Microsoft Intune** page, click **Next**. 3. On the **Microsoft Intune** page, click **Next**.
![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png)
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
5. On the **Destination Folder** page, click **Next**. 5. On the **Destination Folder** page, click **Next**.
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png)
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. 7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png)
> [!NOTE] > [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png)
> [!NOTE] > [!NOTE]
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png)
### Configure the Intune Certificate Connector ### Configure the Intune Certificate Connector
@ -651,9 +846,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
> If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**. > If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png)
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png)
> [!IMPORTANT] > [!IMPORTANT]
@ -671,9 +868,13 @@ Optionally (not required), you can configure the Intune connector for certificat
Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
1. Start the **Certification Authority** management console. 1. Start the **Certification Authority** management console.
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png)
4. Close the **Certification Authority** 4. Close the **Certification Authority**
#### Enable the NDES Connector for certificate revocation #### Enable the NDES Connector for certificate revocation
@ -681,8 +882,11 @@ Sign-in the certificate authority used by the NDES Connector with access equival
Sign-in the NDES server with access equivalent to _domain administrator_. Sign-in the NDES server with access equivalent to _domain administrator_.
1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**). 1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. 2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png)
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
### Test the NDES Connector ### Test the NDES Connector
@ -690,23 +894,28 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
Sign-in the NDES server with access equivalent to _domain admin_. Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt. 1. Open a command prompt.
2. Type the following command to confirm the NDES Connector's last connection time is current. 2. Type the following command to confirm the NDES Connector's last connection time is current.
``` ```console
reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
``` ```
3. Close the command prompt. 3. Close the command prompt.
4. Open **Internet Explorer**. 4. Open **Internet Explorer**.
5. In the navigation bar, type: 5. In the navigation bar, type:
``` ```console
https://[fqdnHostName]/certsrv/mscep/mscep.dll https://[fqdnHostName]/certsrv/mscep/mscep.dll
``` ```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@ -716,14 +925,23 @@ Sign-in the NDES server with access equivalent to _domain admin_.
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Click **Groups**. Click **New group**. 3. Click **Groups**. Click **New group**.
4. Select **Security** from the **Group type** list. 4. Select **Security** from the **Group type** list.
5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**.
6. Provide a **Group description**, if applicable. 6. Provide a **Group description**, if applicable.
7. Select **Assigned** from the **Membership type** list. 7. Select **Assigned** from the **Membership type** list.
![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**. 9. Click **Create**.
### Create a SCEP Certificate Profile ### Create a SCEP Certificate Profile
@ -731,20 +949,30 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**. 2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Create Profile**. 3. Select **Create Profile**.
![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png) ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png)
4. Select **Windows 10 and later** from the **Platform** list. 4. Select **Windows 10 and later** from the **Platform** list.
5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
7. Next to **Description**, provide a description meaningful for your environment, then select **Next**. 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
8. Select **User** as a certificate type. 8. Select **User** as a certificate type.
9. Configure **Certificate validity period** to match your organization. 9. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT] > [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
> [!NOTE] > [!NOTE]
@ -752,13 +980,21 @@ Sign-in a workstation with access equivalent to a _domain user_.
> If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png) ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
18. Click **Next**. 18. Click **Next**.
19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile ### Assign Group to the WHFB Certificate Enrollment Certificate Profile
@ -766,12 +1002,19 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**. 2. Select **Devices**, and then click **Configuration Profiles**.
3. Click **WHFB Certificate Enrollment**. 3. Click **WHFB Certificate Enrollment**.
4. Select **Properties**, and then click **Edit** next to the **Assignments** section. 4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png) ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png)
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
7. Click **Review + Save**, and then **Save**. 7. Click **Review + Save**, and then **Save**.
You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png → windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 270 KiB

After

Width:  |  Height:  |  Size: 270 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 139 KiB

After

Width:  |  Height:  |  Size: 139 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 118 KiB

After

Width:  |  Height:  |  Size: 118 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 125 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 327 KiB

After

Width:  |  Height:  |  Size: 327 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 273 KiB

After

Width:  |  Height:  |  Size: 273 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 134 KiB

After

Width:  |  Height:  |  Size: 134 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 256 KiB

After

Width:  |  Height:  |  Size: 256 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png → windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 353 KiB

After

Width:  |  Height:  |  Size: 353 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 323 KiB

After

Width:  |  Height:  |  Size: 323 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 274 KiB

After

Width:  |  Height:  |  Size: 274 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 298 KiB

After

Width:  |  Height:  |  Size: 298 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 271 KiB

After

Width:  |  Height:  |  Size: 271 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 343 KiB

After

Width:  |  Height:  |  Size: 343 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 198 KiB

After

Width:  |  Height:  |  Size: 198 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 156 KiB

After

Width:  |  Height:  |  Size: 156 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 184 KiB

After

Width:  |  Height:  |  Size: 184 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 164 KiB

After

Width:  |  Height:  |  Size: 164 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 414 KiB

After

Width:  |  Height:  |  Size: 414 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 297 KiB

After

Width:  |  Height:  |  Size: 297 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 355 KiB

After

Width:  |  Height:  |  Size: 355 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 432 KiB

After

Width:  |  Height:  |  Size: 432 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 327 KiB

After

Width:  |  Height:  |  Size: 327 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 730 KiB

After

Width:  |  Height:  |  Size: 730 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png → windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 314 KiB

After

Width:  |  Height:  |  Size: 314 KiB

7
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f
Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. > [!NOTE]
> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
   
### Default BCD validation profile ### Default BCD validation profile
@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke
### Full list of friendly names for ignored BCD settings ### Full list of friendly names for ignored BCD settings
This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLockerprotected operating system drive to be unlocked. This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLockerprotected operating system drive to be unlocked.
> **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
> [!NOTE]
> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
| Hex Value | Prefix | Friendly Name | | Hex Value | Prefix | Friendly Name |
| - | - | - | | - | - | - |

9
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
</colgroup> </colgroup>
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td align="left"><p><strong>Name</strong></p></td> <td align="left"><p>Name</p></td>
<td align="left"><p><strong>Parameters</strong></p></td> <td align="left"><p>Parameters</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td> <td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
> [!NOTE] > [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature. > Use of this command requires the RSAT-AD-PowerShell feature.
>
> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. > [!TIP]
> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:

2
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th
> [!NOTE] > [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives: The hard disk must be partitioned with at least two drives:

34
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -64,7 +64,8 @@ manage-bde protectors -add C: -startupkey E:
manage-bde -on C: manage-bde -on C:
``` ```
>**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started. > [!NOTE]
> After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
@ -102,7 +103,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
>**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. > [!TIP]
> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
@ -110,7 +112,8 @@ The Repair-bde command-line tool is intended for use when the operating system d
- Windows does not start, or you cannot start the BitLocker recovery console. - Windows does not start, or you cannot start the BitLocker recovery console.
- You do not have a copy of the data that is contained on the encrypted drive. - You do not have a copy of the data that is contained on the encrypted drive.
>**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. > [!NOTE]
> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
The following limitations exist for Repair-bde: The following limitations exist for Repair-bde:
@ -130,8 +133,8 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
</colgroup> </colgroup>
<tbody> <tbody>
<tr class="odd"> <tr class="odd">
<td align="left"><p><b>Name</b></p></td> <td align="left"><p>Name</p></td>
<td align="left"><p><b>Parameters</b></p></td> <td align="left"><p>Parameters</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td> <td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
@ -251,10 +254,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
</table> </table>
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLockerVolume</code> cmdlet. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLockerVolume</code> cmdlet.
The <code>Get-BitLockerVolume</code> cmdlet output gives information on the volume type, protectors, protection status, and other details. The <code>Get-BitLockerVolume</code> cmdlet output gives information on the volume type, protectors, protection status, and other details.
>**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. > [!TIP]
> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl` `Get-BitLockerVolume C: | fl`
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
@ -274,7 +280,8 @@ By using this information, you can then remove the key protector for a specific
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}" Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
``` ```
>**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. > [!NOTE]
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
### Using the BitLocker Windows PowerShell cmdlets with operating system volumes ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
@ -302,11 +309,13 @@ $pw = Read-Host -AsSecureString
<user inputs password> <user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
``` ```
### Using an AD Account or Group protector in Windows PowerShell ### Using an AD Account or Group protector in Windows PowerShell
The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
>**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes > [!WARNING]
> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
@ -316,13 +325,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
>**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. > [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
```powershell ```powershell
get-aduser -filter {samaccountname -eq "administrator"} get-aduser -filter {samaccountname -eq "administrator"}
``` ```
>**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. > [!TIP]
> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
@ -330,7 +341,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
``` ```
>**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. > [!NOTE]
> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
## More information ## More information

11
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects
To resolve this issue, follow these steps: To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey: 1. Start Registry Editor, and navigate to the following subkey:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
1. Delete the following entries: 1. Delete the following entries:
@ -55,9 +56,13 @@ To resolve this issue, follow these steps:
You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**. 1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**. 1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
1. Follow the instructions on the page to enter your password. 1. Follow the instructions on the page to enter your password.
1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**. 1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
1. The **Starting encryption** page displays the message "Access is denied." 1. The **Starting encryption** page displays the message "Access is denied."
You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive. You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps:
1. At the command prompt, enter the following command: 1. At the command prompt, enter the following command:
```cmd ```console
C:\>sc sdshow bdesvc C:\>sc sdshow bdesvc
``` ```
The output of this command resembles the following: The output of this command resembles the following:
> D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows. 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps:
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command: 1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```ps ```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
``` ```

4
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
``` ```console
\# for hex 0xc0210000 / decimal -1071579136 \# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption. \# This volume is locked by BitLocker Drive Encryption.
@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur
The operation produces the following call stack: The operation produces the following call stack:
``` ```console
\# Child-SP RetAddr Call Site \# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]

26
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -55,7 +55,8 @@ To install the tool, follow these steps:
To use TBSLogGenerator, follow these steps: To use TBSLogGenerator, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: 1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
This folder contains the TBSLogGenerator.exe file. This folder contains the TBSLogGenerator.exe file.
@ -63,9 +64,11 @@ To use TBSLogGenerator, follow these steps:
![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png)
1. Run the following command: 1. Run the following command:
```cmd
```console
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
``` ```
where the variables represent the following values: where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded - \<*LogFileName*> = the name of the file to be decoded
@ -74,7 +77,7 @@ To use TBSLogGenerator, follow these steps:
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
```cmd ```console
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
``` ```
@ -84,12 +87,12 @@ To use TBSLogGenerator, follow these steps:
![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)
The content of this text file resembles the following. The content of this text file resembles the following.
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file. To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
## Use PCPTool to decode Measured Boot logs ## Use PCPTool to decode Measured Boot logs
@ -102,7 +105,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command: To decode a log, run the following command:
```cmd
```console
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
``` ```
@ -114,4 +118,4 @@ where the variables represent the following values:
The content of the XML file resembles the following. The content of the XML file resembles the following.
![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) :::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::

26
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -20,7 +20,7 @@ ms.custom: bitlocker
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) :::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
``` ```console
diskpart diskpart
list volume list volume
``` ```
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
@ -118,16 +119,17 @@ If the status of any of the volumes is not healthy or if the recovery partition
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
```cmd ```console
reagentc /info reagentc /info
``` ```
The output of this command resembles the following. The output of this command resembles the following.
![Output of the reagentc /info command.](./images/4509193-en-1.png) ![Output of the reagentc /info command.](./images/4509193-en-1.png)
If the **Windows RE status** is not **Enabled**, run the following command to enable it: If the **Windows RE status** is not **Enabled**, run the following command to enable it:
```cmd ```console
reagentc /enable reagentc /enable
``` ```
@ -135,13 +137,13 @@ reagentc /enable
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
```cmd ```console
bcdedit /enum all bcdedit /enum all
``` ```
The output of this command resembles the following. The output of this command resembles the following.
![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) :::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
@ -162,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B
To verify the BIOS mode, use the System Information app. To do this, follow these steps: To verify the BIOS mode, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE] > [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@ -186,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
```cmd ```console
Manage-bde -protectors -get %systemdrive% Manage-bde -protectors -get %systemdrive%
``` ```
@ -203,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc
To verify the Secure Boot state, use the System Information app. To do this, follow these steps: To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box. 1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **Secure Boot State** setting is **On**, as follows: 1. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
> [!NOTE] > [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
>
> ```ps > ```ps
> PS C:\> Confirm-SecureBootUEFI > PS C:\> Confirm-SecureBootUEFI
> ``` > ```
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
> >
> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." > If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."

83
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
```cmd ```console
manage-bde -protectors -adbackup C: manage-bde -protectors -adbackup C:
``` ```
@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
```cmd ```console
Manage-bde -forcerecovery Manage-bde -forcerecovery
``` ```
@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows.
To resolve the restart loop, follow these steps: To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**. 1. On the BitLocker Recovery screen, select **Skip this drive**.
1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
1. In the Command Prompt window, run the following commands :
```cmd 1. In the Command Prompt window, run the following commands:
```console
manage-bde unlock C: -rp <48-digit BitLocker recovery password> manage-bde unlock C: -rp <48-digit BitLocker recovery password>
manage-bde -protectors -disable C: manage-bde -protectors -disable C:
``` ```
1. Close the Command Prompt window. 1. Close the Command Prompt window.
1. Shut down the device. 1. Shut down the device.
1. Start the device. Windows should start as usual. 1. Start the device. Windows should start as usual.
## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
@ -115,7 +122,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On,
To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
```cmd ```console
manage-bde.exe -protectors -get <OSDriveLetter>: manage-bde.exe -protectors -get <OSDriveLetter>:
``` ```
@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if
To do this, follow these steps: To do this, follow these steps:
1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
1. Insert the USB Surface recovery image drive into the Surface device, and start the device. 1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
1. When you are prompted, select the following items: 1. When you are prompted, select the following items:
1. Your operating system language. 1. Your operating system language.
1. Your keyboard layout. 1. Your keyboard layout.
1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands: 1. In the Command Prompt window, run the following commands:
```cmd
```console
manage-bde -unlock -recoverypassword <Password> <DriveLetter>: manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
manage-bde -protectors -disable <DriveLetter>: manage-bde -protectors -disable <DriveLetter>:
``` ```
In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
> [!NOTE] > [!NOTE]
> For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
1. Restart the computer. 1. Restart the computer.
1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
> [!NOTE] > [!NOTE]
@ -155,11 +175,15 @@ To do this, follow these steps:
To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
1. At the command prompt, run the following command: 1. At the command prompt, run the following command:
```cmd
```console
manage-bde -unlock -recoverypassword <Password> <DriveLetter>: manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
``` ```
In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.
> [!NOTE] > [!NOTE]
> For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
@ -172,30 +196,42 @@ To prevent this issue from recurring, we strongly recommend that you restore t
To enable Secure Boot on a Surface device, follow these steps: To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0 Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
``` ```
In this command, <*DriveLetter*> is the letter that is assigned to your drive. In this command, <*DriveLetter*> is the letter that is assigned to your drive.
1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
1. Restart the device. 1. Restart the device.
1. Open an elevated PowerShell window, and run the following cmdlet: 1. Open an elevated PowerShell window, and run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:" Resume-BitLocker -MountPoint "<DriveLetter>:"
``` ```
To reset the PCR settings on the TPM, follow these steps: To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md).
1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0 Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
``` ```
where <*DriveLetter*> is the letter assigned to your drive. where <*DriveLetter*> is the letter assigned to your drive.
1. Run the following cmdlet: 1. Run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:" Resume-BitLocker -MountPoint "<DriveLetter>:"
```
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
@ -209,13 +245,19 @@ You can avoid this scenario when you install updates to system firmware or TPM f
To suspend BitLocker while you install TPM or UEFI firmware updates: To suspend BitLocker while you install TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window, and run the following cmdlet: 1. Open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0 Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
``` ```
In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
1. Install the Surface device driver and firmware updates. 1. Install the Surface device driver and firmware updates.
1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:" Resume-BitLocker -MountPoint "<DriveLetter>:"
``` ```
@ -230,22 +272,31 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v
If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. 1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. 1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands: 1. In the Command Prompt window, run the following commands:
```cmd
```console
Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by - in 6 digit group> Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by - in 6 digit group>
Manage-bde -protectors -disable c: Manage-bde -protectors -disable c:
exit exit
``` ```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window. These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
> [!NOTE] > [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
1. Select **Continue**. Windows should start. 1. Select **Continue**. Windows should start.
1. After Windows has started, open an elevated Command Prompt window and run the following command: 1. After Windows has started, open an elevated Command Prompt window and run the following command:
```cmd
```console
Manage-bde -protectors -enable c: Manage-bde -protectors -enable c:
``` ```
@ -254,7 +305,7 @@ If your device is already in this state, you can successfully start Windows afte
To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command: To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
```cmd ```console
Manage-bde -protectors -disable c: -rc 1 Manage-bde -protectors -disable c: -rc 1
``` ```

7
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -9,7 +9,7 @@ metadata:
ms.localizationpriority: medium ms.localizationpriority: medium
author: denisebmsft author: denisebmsft
ms.author: deniseb ms.author: deniseb
ms.date: 09/29/2021 ms.date: 09/30/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.custom: asr ms.custom: asr
@ -171,11 +171,6 @@ sections:
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
- question: |
Why can I not launch Application Guard when Exploit Guard is enabled?
answer: |
There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
- question: | - question: |
How can I disable portions of ICS without breaking Application Guard? How can I disable portions of ICS without breaking Application Guard?
answer: | answer: |