deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 6284: "updated policies supported by GP"

Browse Source 
includes new ADMX-backed policies
This commit is contained in:
Nicholas Brower 2018-03-09 23:00:00 +00:00
parent e7244ca35e
commit 580647e1ce
13 changed files with 1232 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/05/2018
ms.date: 03/09/2018
---
# Policy CSP - ApplicationManagement
@ -569,6 +569,7 @@ The following list shows the supported values:
> [!div class = "checklist"]
> * User
> * Device
<hr/>
@ -582,9 +583,7 @@ Most restricted value is 1.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Only display the private store within the Microsoft Store*
- GP name: *RequirePrivateStoreOnly_1*
- GP path: *Windows Components/Store*
- GP name: *RequirePrivateStoreOnly*
- GP ADMX file name: *WindowsStore.admx*
<!--/ADMXMapped-->

77
windows/client-management/mdm/policy-csp-appruntime.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Policy CSP - AppRuntime
description: Policy CSP - AppRuntime
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/09/2018
---
# Policy CSP - AppRuntime
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## AppRuntime policies
<dl>
<dd>
<a href="#appruntime-allowmicrosoftaccountstobeoptional">AppRuntime/AllowMicrosoftAccountsToBeOptional</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="appruntime-allowmicrosoftaccountstobeoptional"></a>**AppRuntime/AllowMicrosoftAccountsToBeOptional**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead.
If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow Microsoft accounts to be optional*
- GP name: *AppxRuntimeMicrosoftAccountsOptional*
- GP path: *Windows Components/App runtime*
- GP ADMX file name: *AppXRuntime.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--/Policies-->

79
windows/client-management/mdm/policy-csp-credentialsdelegation.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Policy CSP - CredentialsDelegation
description: Policy CSP - CredentialsDelegation
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/09/2018
---
# Policy CSP - CredentialsDelegation
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## CredentialsDelegation policies
<dl>
<dd>
<a href="#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials">CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials"></a>**CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Remote host allows delegation of non-exportable credentials
When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host.
If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remote host allows delegation of non-exportable credentials*
- GP name: *AllowProtectedCreds*
- GP path: *System/Credentials Delegation*
- GP ADMX file name: *CredSsp.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--/Policies-->

48
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/05/2018
ms.date: 03/09/2018
---
# Policy CSP - DeliveryOptimization
@ -1217,6 +1217,13 @@ Added in Windows 10, version 1803. Specifies the maximum background download ban
Note that downloads from LAN peers will not be throttled even when this policy is set.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP name: *PercentageMaxBackgroundBandwidth*
- GP element: *PercentageMaxBackgroundBandwidth*
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
@ -1273,6 +1280,13 @@ Added in Windows 10, version 1803. Specifies the maximum foreground download ban
Note that downloads from LAN peers will not be throttled even when this policy is set.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP name: *PercentageMaxForegroundBandwidth*
- GP element: *PercentageMaxForegroundBandwidth*
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
@ -1377,14 +1391,6 @@ The following list shows the supported values:
Added in Windows 10, version 1803. Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
<!--/Description-->
<!--SupportedValues-->
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for background traffic during business hours
- % of throttle for background traffic outside of business hours
<!--/SupportedValues-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -1400,6 +1406,14 @@ ADMX Info:
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for background traffic during business hours
- % of throttle for background traffic outside of business hours
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
@ -1443,14 +1457,6 @@ ADMX Info:
Added in Windows 10, version 1803. Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
<!--/Description-->
<!--SupportedValues-->
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for foreground traffic during business hours
- % of throttle for foreground traffic outside of business hours
<!--/SupportedValues-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -1466,6 +1472,14 @@ ADMX Info:
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
This policy allows an IT Admin to define the following:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for foreground traffic during business hours
- % of throttle for foreground traffic outside of business hours
<!--/SupportedValues-->
<!--/Policy-->
<hr/>

44
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/05/2018
ms.date: 03/09/2018
---
# Policy CSP - DeviceLock
@ -66,6 +66,9 @@ ms.date: 03/05/2018
<dd>
<a href="#devicelock-minimumpasswordage">DeviceLock/MinimumPasswordAge</a>
</dd>
<dd>
<a href="#devicelock-preventenablinglockscreencamera">DeviceLock/PreventEnablingLockScreenCamera</a>
</dd>
<dd>
<a href="#devicelock-preventlockscreenslideshow">DeviceLock/PreventLockScreenSlideShow</a>
</dd>
@ -1030,6 +1033,45 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="devicelock-preventenablinglockscreencamera"></a>**DeviceLock/PreventEnablingLockScreenCamera**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
By default, users can enable invocation of an available camera on the lock screen.
If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prevent enabling lock screen camera*
- GP name: *CPL_Personalization_NoLockScreenCamera*
- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="devicelock-preventlockscreenslideshow"></a>**DeviceLock/PreventLockScreenSlideShow**

111
windows/client-management/mdm/policy-csp-fileexplorer.md Normal file
View File

@ -0,0 +1,111 @@
---
title: Policy CSP - FileExplorer
description: Policy CSP - FileExplorer
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/09/2018
---
# Policy CSP - FileExplorer
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## FileExplorer policies
<dl>
<dd>
<a href="#fileexplorer-turnoffdataexecutionpreventionforexplorer">FileExplorer/TurnOffDataExecutionPreventionForExplorer</a>
</dd>
<dd>
<a href="#fileexplorer-turnoffheapterminationoncorruption">FileExplorer/TurnOffHeapTerminationOnCorruption</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="fileexplorer-turnoffdataexecutionpreventionforexplorer"></a>**FileExplorer/TurnOffDataExecutionPreventionForExplorer**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off Data Execution Prevention for Explorer*
- GP name: *NoDataExecutionPrevention*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="fileexplorer-turnoffheapterminationoncorruption"></a>**FileExplorer/TurnOffHeapTerminationOnCorruption**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn off heap termination on corruption*
- GP name: *NoHeapTerminationOnCorruption*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--/Policies-->

193
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/05/2018
ms.date: 03/09/2018
---
# Policy CSP - InternetExplorer
@ -238,6 +238,9 @@ ms.date: 03/05/2018
<dd>
<a href="#internetexplorer-internetzoneallowuserdatapersistence">InternetExplorer/InternetZoneAllowUserDataPersistence</a>
</dd>
<dd>
<a href="#internetexplorer-internetzoneallowvbscripttorunininternetexplorer">InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer</a>
</dd>
<dd>
<a href="#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls</a>
</dd>
@ -406,6 +409,9 @@ ms.date: 03/05/2018
<dd>
<a href="#internetexplorer-lockeddowninternetzonenavigatewindowsandframes">InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames</a>
</dd>
<dd>
<a href="#internetexplorer-lockeddownintranetjavapermissions">InternetExplorer/LockedDownIntranetJavaPermissions</a>
</dd>
<dd>
<a href="#internetexplorer-lockeddownintranetzoneallowaccesstodatasources">InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources</a>
</dd>
@ -637,6 +643,9 @@ ms.date: 03/05/2018
<dd>
<a href="#internetexplorer-restrictedsiteszoneallowuserdatapersistence">InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence</a>
</dd>
<dd>
<a href="#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer">InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer</a>
</dd>
<dd>
<a href="#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
</dd>
@ -5530,6 +5539,50 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-internetzoneallowvbscripttorunininternetexplorer"></a>**InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you selected Enable in the drop-down box, VBScript can run without user intervention.
If you selected Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you selected Disable in the drop-down box, VBScript is prevented from running.
If you do not configure or disable this policy setting, VBScript is prevented from running.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow VBScript to run in Internet Explorer*
- GP name: *IZ_PolicyAllowVBScript_1*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls**
@ -9180,6 +9233,54 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-lockeddownintranetjavapermissions"></a>**InternetExplorer/LockedDownIntranetJavaPermissions**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to manage permissions for Java applets.
If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.
Low Safety enables applets to perform all operations.
Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.
High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this policy setting, Java applets cannot run.
If you do not configure this policy setting, Java applets are disabled.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_4*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-lockeddownintranetzoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**
@ -12619,11 +12720,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users.
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.
If you enable this policy setting, any zone can be protected from zone elevation for all processes.
If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
If you disable or do not configure this policy setting, processes other than Internet Explorer or those listed in the Process List receive no such protection.
If you disable this policy setting, no zone receives such protection for Internet Explorer processes.
If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
<!--/Description-->
> [!TIP]
@ -12635,8 +12738,8 @@ If you disable or do not configure this policy setting, processes other than Int
<!--ADMXBacked-->
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_9*
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_9*
- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
- GP ADMX file name: *inetres.admx*
@ -12747,11 +12850,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation.
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.
If you enable this policy setting, the Web Browser Control will block automatic prompting of ActiveX control installation for all processes.
If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.
If you disable or do not configure this policy setting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes.
If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes.
<!--/Description-->
> [!TIP]
@ -12763,8 +12868,8 @@ If you disable or do not configure this policy setting, the Web Browser Control
<!--ADMXBacked-->
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_11*
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_11*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
- GP ADMX file name: *inetres.admx*
@ -12810,11 +12915,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not user initiated.
This policy setting enables blocking of file download prompts that are not user initiated.
If you enable this policy setting, the Web Browser Control will block automatic prompting of file downloads that are not user initiated for all processes.
If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.
If you disable this policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes.
If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
<!--/Description-->
> [!TIP]
@ -12826,8 +12933,8 @@ If you disable this policy setting, the Web Browser Control will not block autom
<!--ADMXBacked-->
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_12*
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_12*
- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
- GP ADMX file name: *inetres.admx*
@ -14197,6 +14304,50 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer"></a>**InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
If you selected Enable in the drop-down box, VBScript can run without user intervention.
If you selected Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.
If you selected Disable in the drop-down box, VBScript is prevented from running.
If you do not configure or disable this policy setting, VBScript is prevented from running.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow VBScript to run in Internet Explorer*
- GP name: *IZ_PolicyAllowVBScript_7*
- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
@ -15560,9 +15711,11 @@ ADMX Info:
<!--Description-->
Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.
If you enable this policy setting, scripted windows are restricted for all processes.
If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
If you disable or do not configure this policy setting, scripted windows are not restricted.
If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows.
If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
<!--/Description-->
> [!TIP]
@ -15574,8 +15727,8 @@ If you disable or do not configure this policy setting, scripted windows are not
<!--ADMXBacked-->
ADMX Info:
- GP English name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_8*
- GP English name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_8*
- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
- GP ADMX file name: *inetres.admx*

245
windows/client-management/mdm/policy-csp-mssecurityguide.md Normal file
View File

@ -0,0 +1,245 @@
---
title: Policy CSP - MSSecurityGuide
description: Policy CSP - MSSecurityGuide
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/09/2018
---
# Policy CSP - MSSecurityGuide
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## MSSecurityGuide policies
<dl>
<dd>
<a href="#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon">MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon</a>
</dd>
<dd>
<a href="#mssecurityguide-configuresmbv1clientdriver">MSSecurityGuide/ConfigureSMBV1ClientDriver</a>
</dd>
<dd>
<a href="#mssecurityguide-configuresmbv1server">MSSecurityGuide/ConfigureSMBV1Server</a>
</dd>
<dd>
<a href="#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection">MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection</a>
</dd>
<dd>
<a href="#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications">MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications</a>
</dd>
<dd>
<a href="#mssecurityguide-wdigestauthentication">MSSecurityGuide/WDigestAuthentication</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon"></a>**MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_SecGuide_0201_LATFP*
- GP ADMX file name: *SecGuide.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mssecurityguide-configuresmbv1clientdriver"></a>**MSSecurityGuide/ConfigureSMBV1ClientDriver**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_SecGuide_0002_SMBv1_ClientDriver*
- GP ADMX file name: *SecGuide.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mssecurityguide-configuresmbv1server"></a>**MSSecurityGuide/ConfigureSMBV1Server**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_SecGuide_0001_SMBv1_Server*
- GP ADMX file name: *SecGuide.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection"></a>**MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_SecGuide_0102_SEHOP*
- GP ADMX file name: *SecGuide.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications"></a>**MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_SecGuide_0101_WDPUA*
- GP ADMX file name: *SecGuide.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="mssecurityguide-wdigestauthentication"></a>**MSSecurityGuide/WDigestAuthentication**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_SecGuide_0202_WDigestAuthn*
- GP ADMX file name: *SecGuide.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--/Policies-->

175
windows/client-management/mdm/policy-csp-msslegacy.md Normal file
View File

@ -0,0 +1,175 @@
---
title: Policy CSP - MSSLegacy
description: Policy CSP - MSSLegacy
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/09/2018
---
# Policy CSP - MSSLegacy
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## MSSLegacy policies
<dl>
<dd>
<a href="#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes">MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes</a>
</dd>
<dd>
<a href="#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers">MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers</a>
</dd>
<dd>
<a href="#msslegacy-ipsourceroutingprotectionlevel">MSSLegacy/IPSourceRoutingProtectionLevel</a>
</dd>
<dd>
<a href="#msslegacy-ipv6sourceroutingprotectionlevel">MSSLegacy/IPv6SourceRoutingProtectionLevel</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="msslegacy-allowicmpredirectstooverrideospfgeneratedroutes"></a>**MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_EnableICMPRedirect*
- GP ADMX file name: *mss-legacy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers"></a>**MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_NoNameReleaseOnDemand*
- GP ADMX file name: *mss-legacy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="msslegacy-ipsourceroutingprotectionlevel"></a>**MSSLegacy/IPSourceRoutingProtectionLevel**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_DisableIPSourceRouting*
- GP ADMX file name: *mss-legacy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="msslegacy-ipv6sourceroutingprotectionlevel"></a>**MSSLegacy/IPv6SourceRoutingProtectionLevel**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP name: *Pol_MSS_DisableIPSourceRoutingIPv6*
- GP ADMX file name: *mss-legacy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--/Policies-->

44
windows/client-management/mdm/policy-csp-power.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/05/2018
ms.date: 03/09/2018
---
# Policy CSP - Power
@ -19,6 +19,9 @@ ms.date: 03/05/2018
## Power policies
<dl>
<dd>
<a href="#power-allowstandbystateswhensleepingonbattery">Power/AllowStandbyStatesWhenSleepingOnBattery</a>
</dd>
<dd>
<a href="#power-allowstandbywhensleepingpluggedin">Power/AllowStandbyWhenSleepingPluggedIn</a>
</dd>
@ -49,6 +52,45 @@ ms.date: 03/05/2018
</dl>
<hr/>
<!--Policy-->
<a href="" id="power-allowstandbystateswhensleepingonbattery"></a>**Power/AllowStandbyStatesWhenSleepingOnBattery**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
If you disable this policy setting, standby states (S1-S3) are not allowed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow standby states (S1-S3) when sleeping (on battery)*
- GP name: *AllowStandbyStatesDC_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->

85
windows/client-management/mdm/policy-csp-windowsconnectionmanager.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Policy CSP - WindowsConnectionManager
description: Policy CSP - WindowsConnectionManager
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/09/2018
---
# Policy CSP - WindowsConnectionManager
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## WindowsConnectionManager policies
<dl>
<dd>
<a href="#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork">WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork"></a>**WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time.
If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:
Automatic connection attempts
- When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.
- When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked.
Manual connection attempts
- When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.
If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Prohibit connection to non-domain networks when connected to domain authenticated network*
- GP name: *WCM_BlockNonDomain*
- GP path: *Network/Windows Connection Manager*
- GP ADMX file name: *WCM.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--/Policies-->

86
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/05/2018
ms.date: 03/09/2018
---
# Policy CSP - WindowsLogon
@ -25,9 +25,15 @@ ms.date: 03/05/2018
<dd>
<a href="#windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
</dd>
<dd>
<a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
<dd>
<a href="#windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
</dd>
<dd>
<a href="#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart">WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart</a>
</dd>
</dl>
@ -157,6 +163,45 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows local users to be enumerated on domain-joined computers.
If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers.
If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Enumerate local users on domain-joined computers*
- GP name: *EnumerateLocalUsers*
- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**
@ -219,6 +264,45 @@ To validate on Desktop, do the following:
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart"></a>**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.
If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.
If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Sign-in last interactive user automatically after a system-initiated restart*
- GP name: *AutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:

82
windows/client-management/mdm/policy-csp-windowspowershell.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Policy CSP - WindowsPowerShell
description: Policy CSP - WindowsPowerShell
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/09/2018
---
# Policy CSP - WindowsPowerShell
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## WindowsPowerShell policies
<dl>
<dd>
<a href="#windowspowershell-turnonpowershellscriptblocklogging">WindowsPowerShell/TurnOnPowerShellScriptBlockLogging</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="windowspowershell-turnonpowershellscriptblocklogging"></a>**WindowsPowerShell/TurnOnPowerShellScriptBlockLogging**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting,
Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled.
If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script
starts or stops. Enabling Invocation Logging generates a high volume of event logs.
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Turn on PowerShell Script Block Logging*
- GP name: *EnableScriptBlockLogging*
- GP path: *Windows Components/Windows PowerShell*
- GP ADMX file name: *PowerShellExecutionPolicy.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--/Policies-->