diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 512d523a53..189d686fc7 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -892,7 +892,6 @@ ms.date: 10/08/2020 - [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) - [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) - [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) -- [ADMX_PushToInstall/DisablePushToInstall](./policy-csp-admx-pushtoinstall.md#admx-pushtoinstall-disablepushtoinstall) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) @@ -950,12 +949,17 @@ ms.date: 10/08/2020 - [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) +- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) - [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) - [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) - [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) +- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page) +- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate) +- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks) +- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) - [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) @@ -993,6 +997,8 @@ ms.date: 10/08/2020 - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) +- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_1) +- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_2) - [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) - [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) - [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 958e7ec840..e0e613f0c2 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3171,13 +3171,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC -### ADMX_PushToInstall policies - -
-
- ADMX_PushToInstall/DisablePushToInstall -
- ### ADMX_Reliability policies
@@ -3365,6 +3358,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_sdiagschd policies + +
+
+ ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
+
+ ### ADMX_sdiageng policies
@@ -3407,6 +3408,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_ServerManager policies + +
+
+ ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
+
+ ADMX_ServerManager/ServerManagerAutoRefreshRate +
+
+ ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
+
+ ADMX_ServerManager/DoNotLaunchServerManager +
+
+ ### ADMX_Servicing policies
@@ -3558,6 +3576,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_SoundRec policies + +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +
+
+ ### ADMX_StartMenu policies
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 44e91fe2e9..514efdce81 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_CipherSuiteOrder -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -78,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). +This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable this policy setting, SSL cipher suites are prioritized in the order specified. @@ -87,12 +97,7 @@ If you disable or do not configure this policy setting, default cipher suite ord For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,28 +118,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -151,7 +162,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. +This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. @@ -170,12 +181,6 @@ CertUtil.exe -DisplayEccCurve ``` -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,7 +193,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 13d4fabf45..abac5580d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_COM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -40,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -78,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -89,12 +99,7 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +120,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +164,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. @@ -164,12 +175,6 @@ If you disable or do not configure this policy setting, the program continues wi This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -182,7 +187,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 9dec30ad01..bdd6e7f313 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +50,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,7 +94,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. @@ -98,12 +109,7 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -122,28 +128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -160,7 +172,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons. +This policy setting controls the default Control Panel view, whether by category or icons. If this policy setting is enabled, the Control Panel opens to the icon view. @@ -172,12 +184,7 @@ If this policy setting is not configured, the Control Panel opens to the view us > Icon size is dependent upon what the user has set it to in the previous session. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +203,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -253,12 +266,7 @@ This setting removes PC settings from: If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -277,28 +285,38 @@ ADMX Info: - - + + + - + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -315,7 +333,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. @@ -330,12 +348,6 @@ If both the "Hide specified Control Panel items" setting and the "Show only spec > To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -348,7 +360,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index f1f3907cbe..d86682733e 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_ControlPanelDisplay -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -105,28 +110,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -143,19 +154,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel. +Disables the Display Control Panel. If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -174,28 +180,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -212,17 +229,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel. +Removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -241,28 +253,40 @@ ADMX Info: - - + + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -279,7 +303,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme. +This setting forces the theme color scheme to be the default color scheme. If you enable this setting, a user cannot change the color scheme of the current desktop theme. @@ -288,12 +312,6 @@ If you disable or do not configure this setting, a user may change the color sch For Windows 7 and later, use the "Prevent changing color and appearance" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -312,28 +330,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -350,7 +379,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel. +This setting disables the theme gallery in the Personalization Control Panel. If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). @@ -360,12 +389,6 @@ If you disable or do not configure this setting, there is no effect. > If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -384,28 +407,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -422,19 +456,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. +Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -453,28 +481,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -491,7 +530,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers. +Enables desktop screen savers. If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. @@ -502,12 +541,6 @@ If you enable it, a screen saver runs, provided the following two conditions hol Also, see the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -526,28 +559,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -564,7 +608,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. +This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). @@ -575,12 +619,7 @@ This can be used in conjunction with the "Prevent changing lock screen and logon Note: This setting only applies to Enterprise, Education, and Server SKUs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -599,28 +638,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -637,19 +687,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. +Prevents users from changing the size of the font in the windows and buttons displayed on their screens. If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -668,28 +712,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -706,19 +761,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen. +Prevents users from changing the background image shown when the machine is locked or when on the logon screen. By default, users can change the background image shown when the machine is locked or displaying the logon screen. If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -737,28 +786,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -775,7 +835,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent. +Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. @@ -786,12 +846,6 @@ If the "Force a specific background and accent color" policy is also set on a su If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -810,28 +864,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -848,7 +913,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. +Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. @@ -857,12 +922,6 @@ If this setting is disabled or not configured, the Color (or Window Color) page For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -881,28 +940,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -919,7 +989,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop. +Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. @@ -932,12 +1002,6 @@ Note: You must also enable the "Desktop Wallpaper" setting to prevent users from Also, see the "Allow only bitmapped wallpaper" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -956,28 +1020,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -994,7 +1069,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons. +Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. @@ -1003,12 +1078,6 @@ If you enable this setting, none of the desktop icons can be changed by the user For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1027,28 +1096,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1072,12 +1152,6 @@ If you enable this policy setting, users that are not required to press CTRL + A If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1096,28 +1170,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1141,12 +1226,6 @@ By default, users can use the Pointers tab in the Mouse Control Panel to add, re If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1165,28 +1244,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1203,17 +1293,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. +Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1232,28 +1316,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1270,19 +1365,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme. +Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. If you enable this setting, none of the Sound Scheme settings can be changed by the user. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1301,28 +1390,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1339,19 +1439,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. +Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1370,28 +1464,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1408,7 +1513,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected. +Determines whether screen savers used on the computer are password protected. If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. @@ -1422,12 +1527,6 @@ To ensure that a computer will be password protected, enable the "Enable Screen > To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1446,8 +1545,9 @@ ADMX Info: - - + + + @@ -1455,19 +1555,27 @@ ADMX Info: - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Home
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1484,7 +1592,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched. +Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. @@ -1501,12 +1609,6 @@ This setting has no effect under any of the following circumstances: When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1525,28 +1627,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1563,7 +1676,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop. +Specifies the screen saver for the user's desktop. If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. @@ -1577,12 +1690,6 @@ If the specified screen saver is not installed on a computer to which this setti > This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1601,28 +1708,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1646,12 +1764,6 @@ If you enable this setting, the theme that you specify will be applied when a ne If you disable or do not configure this setting, the default theme will be applied at the first logon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1670,28 +1782,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1708,7 +1831,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. +This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). @@ -1724,12 +1847,6 @@ If you disable or do not configure this setting, the users can select the visual > To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1748,28 +1865,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1786,19 +1914,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. +Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it. If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1811,7 +1933,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 6ad7cad008..71ba7fb9c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Cpls -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +90,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. +This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] > The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. @@ -84,12 +100,7 @@ If you enable this policy setting, the default user account picture will display If you disable or do not configure this policy setting, users will be able to customize their account pictures. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -102,8 +113,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index b7ed4ab54a..92d2b7cfc2 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredentialProviders -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -42,28 +47,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -80,7 +96,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. +This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. @@ -91,12 +107,7 @@ If you don't configure this policy setting on a domain-joined device, a user can If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider. +This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. @@ -163,12 +185,6 @@ If you disable or do not configure this policy setting, the system picks the def > A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,28 +204,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -226,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication. +This policy setting allows the administrator to exclude the specified credential providers from use during authentication. > [!NOTE] > Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). @@ -236,12 +263,6 @@ If you enable this policy, an administrator can specify the CLSIDs of the creden If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -254,9 +275,5 @@ ADMX Info:
-> [!NOTE] -> These policies are for upcoming release. - - -These policies are currently only available as part of a Windows Insider release. \ No newline at end of file + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 04bbf46ba4..2c66db1203 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredSsp -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -66,28 +71,38 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -104,7 +119,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -122,12 +137,7 @@ If you disable or do not configure (by default) this policy setting, delegation > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -146,28 +156,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -184,7 +205,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. @@ -207,12 +228,6 @@ https://go.microsoft.com/fwlink/?LinkId=301508 > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -231,28 +246,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -269,7 +295,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. @@ -287,12 +313,6 @@ If you enable this policy setting, CredSSP version support will be selected base For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -311,28 +331,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -349,7 +380,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -369,12 +400,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -393,28 +418,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -431,7 +467,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -451,12 +487,6 @@ If you disable this policy setting, delegation of fresh credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -475,28 +505,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -513,7 +554,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. @@ -533,12 +574,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -557,28 +592,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -595,7 +641,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. @@ -615,12 +661,6 @@ If you disable this policy setting, delegation of saved credentials is not permi > - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -639,28 +679,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -677,7 +728,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). @@ -695,12 +746,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -719,28 +764,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -757,7 +813,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). @@ -775,12 +831,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -799,28 +849,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -837,7 +898,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). @@ -855,12 +916,6 @@ If you disable or do not configure (by default) this policy setting, this policy This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -879,28 +934,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -917,7 +983,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. +When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client @@ -936,12 +1002,6 @@ If you disable or do not configure this policy setting, Restricted Admin and Rem > On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -954,8 +1014,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index acb7942b92..b6e48f936c 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CredUI -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +44,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,7 +93,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. +This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. > [!NOTE] > This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. @@ -87,12 +103,6 @@ If you enable this policy setting, users will be required to enter Windows crede If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -111,28 +121,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -152,12 +173,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -168,10 +184,6 @@ ADMX Info: -
- -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - +< diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index b42e1e9ad0..0098e79df8 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_CtrlAltDel -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -45,28 +50,39 @@ manager: dansimp - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -83,19 +99,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand. +This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -115,28 +126,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -153,7 +175,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system. +This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. @@ -165,12 +187,6 @@ If you disable or do not configure this policy setting, users will be able to lo > To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -188,28 +204,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -226,7 +253,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager. +This policy setting prevents users from starting Task Manager. Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -235,12 +262,6 @@ If you enable this policy setting, users will not be able to access Task Manager If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -259,28 +280,39 @@ ADMX Info: - - + + + - + + + - + + + - + + + - + + + - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -297,7 +329,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system. +This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. @@ -306,12 +338,6 @@ Also, see the 'Remove Logoff on the Start Menu' policy setting. If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -324,8 +350,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index c2de3fdc86..3955a74bc1 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -13,14 +13,19 @@ manager: dansimp --- # Policy CSP - ADMX_DataCollection -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
## ADMX_DataCollection policies +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
ADMX_DataCollection/CommercialIdPolicy @@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,19 +85,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. +This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 4baa5a5da4..575e15bf06 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_Desktop -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -120,28 +125,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -158,7 +169,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. +Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. @@ -167,12 +178,7 @@ If you disable this setting or do not configure it, the filter bar does not appe To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -191,28 +197,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -229,7 +241,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations. +Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. @@ -240,12 +252,7 @@ If you disable this setting or do not configure it, the Active Directory folder This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +271,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -302,7 +315,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. +Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. @@ -311,12 +324,7 @@ If you disable this setting or do not configure it, the system displays up to 10 This setting is designed to protect the network and the domain controller from the effect of expansive searches. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -335,28 +343,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -373,7 +387,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it. +Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -383,12 +397,6 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -407,28 +415,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -445,7 +459,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it. +Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. @@ -455,12 +469,7 @@ If you disable this setting or do not configure it, Active Desktop is disabled b > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -479,28 +488,33 @@ ADMX Info: - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markYesYes
@@ -517,17 +531,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. +Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -546,28 +554,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -584,19 +598,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. +Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -615,28 +624,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -653,7 +668,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard. +Prevents users from using the Desktop Cleanup Wizard. If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. @@ -663,12 +678,7 @@ If you disable this setting or do not configure it, the default behavior of the > When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -687,28 +697,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -725,17 +741,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. +Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. This setting does not prevent the user from starting Internet Explorer by using other methods. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -754,28 +765,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -792,7 +809,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. +This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. @@ -804,12 +821,7 @@ If you do not configure this setting, the default is to display Computer as usua > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -828,29 +840,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -866,7 +883,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon. +Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -878,12 +895,6 @@ This setting does not remove the My Documents icon from the Start menu. To do so > To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -902,28 +913,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -940,7 +957,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop. +Removes the Network Locations icon from the desktop. This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. @@ -948,12 +965,7 @@ This setting only affects the desktop icon. It does not prevent users from conne > In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -972,28 +984,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1010,19 +1028,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer. +This setting hides Properties on the context menu for Computer. If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1041,28 +1054,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1079,7 +1098,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. +This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: @@ -1090,12 +1109,7 @@ If you enable this policy setting, the Properties menu command will not be displ If you disable or do not configure this policy setting, the Properties menu command is displayed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1114,28 +1128,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1152,19 +1172,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. +Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1183,28 +1198,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1221,7 +1242,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon. +Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. @@ -1231,12 +1252,6 @@ This setting does not prevent the user from using other methods to gain access t > To make changes to this setting effective, you must log off and then log back on. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1255,28 +1270,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1293,19 +1314,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu. +Removes the Properties option from the Recycle Bin context menu. If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. If you disable or do not configure this setting, the Properties option is displayed as usual. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1324,28 +1340,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1362,17 +1384,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop. +Prevents users from saving certain changes to the desktop. If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1391,28 +1408,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1429,19 +1452,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. +Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1460,28 +1477,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1498,7 +1521,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops. +Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. @@ -1512,12 +1535,6 @@ Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Pr > This setting does not apply to remote desktop server sessions. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1536,28 +1553,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1574,19 +1597,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop. +Prevents users from adding Web content to their Active Desktop. This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. Also, see the "Disable all items" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1605,28 +1622,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1643,7 +1666,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop. +Prevents users from removing Web content from their Active Desktop. In Active Desktop, you can add items to the desktop but close them so they are not displayed. @@ -1653,12 +1676,7 @@ If you enable this setting, items added to the desktop cannot be closed; they al > This setting does not prevent users from deleting items from their Active Desktop. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1677,28 +1695,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1715,7 +1739,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop. +Prevents users from deleting Web content from their Active Desktop. This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. @@ -1724,12 +1748,7 @@ This setting does not prevent users from adding Web content to their Active Desk Also, see the "Prohibit closing items" and "Disable all items" settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1748,28 +1767,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1786,17 +1811,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop. +Prevents users from changing the properties of Web content items on their Active Desktop. This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1815,28 +1835,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1853,7 +1879,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content. +Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. @@ -1861,12 +1887,7 @@ This setting removes all Active Desktop items from the desktop. It also removes > This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1885,28 +1906,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1923,7 +1950,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items. +Adds and deletes specified Web content items. You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. @@ -1936,12 +1963,7 @@ You can also use this setting to delete particular Web-based items from users' d > For this setting to take affect, you must log off and log on to the system. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1960,28 +1982,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1998,7 +2026,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars. +Prevents users from manipulating desktop toolbars. If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. @@ -2011,12 +2039,7 @@ If you enable this setting, users cannot add or remove toolbars from the desktop Also, see the "Prohibit adjusting desktop toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2035,28 +2058,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2073,7 +2102,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. +Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. This setting does not prevent users from adding or removing toolbars on the desktop. @@ -2083,12 +2112,7 @@ This setting does not prevent users from adding or removing toolbars on the desk Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2107,28 +2131,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -2145,17 +2175,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". +Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -2168,7 +2193,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 470b11eb3f..b8b64ce774 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceInstallation -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -57,28 +62,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -95,19 +106,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. +This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -126,28 +132,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -164,19 +176,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -195,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -233,19 +246,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. +This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -264,28 +272,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -302,19 +316,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. +This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -333,28 +342,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -371,7 +386,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. +This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. @@ -380,12 +395,7 @@ If you disable or do not configure this policy setting, the system does not forc Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -404,28 +414,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -442,18 +458,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -472,28 +483,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -510,19 +527,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. +This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. If you enable this policy setting, Windows does not create a system restore point when one would normally be created. If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -541,28 +553,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -579,7 +597,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. +This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. @@ -587,12 +605,7 @@ If you disable or do not configure this policy setting, only members of the Admi -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -605,6 +618,4 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 8816d46b2e..17ee9b18a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DeviceSetup -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,19 +88,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. +This policy setting allows you to turn off "Found New Hardware" balloons during device installation. If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -108,28 +114,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -146,7 +158,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. +This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. @@ -155,12 +167,6 @@ Note that searching always implies that Windows will attempt to search Windows U If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -173,7 +179,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index b41032d0f8..e9379aa5be 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DigitalLocker -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -39,28 +44,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -77,7 +88,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -86,12 +97,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -110,28 +116,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?Editionwindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -148,7 +160,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run. +This policy setting specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. @@ -157,12 +169,7 @@ If you enable this setting, Digital Locker will not run. If you disable or do not configure this setting, Digital Locker can be run. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -175,8 +182,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 1151c3fbae..ed55f58aa5 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DistributedLinkTracking -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. +This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless the DLT server is running on all domain controllers in the domain. @@ -83,12 +94,6 @@ This policy should not be set unless the DLT server is running on all domain con > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -101,8 +106,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 6d020b3a32..f1dc91e8d4 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_DnsClient -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -99,28 +103,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -137,19 +147,14 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -167,28 +172,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -205,7 +216,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. +This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -220,12 +231,6 @@ If you disable this policy setting, no suffixes are appended to unqualified mult If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -244,28 +249,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -282,19 +293,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. +This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -313,28 +319,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -351,7 +363,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -375,12 +387,7 @@ If you enable this policy setting and DNS devolution is also enabled, DNS client If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -400,28 +407,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -438,19 +451,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -469,28 +477,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -507,19 +521,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. +This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -538,28 +547,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -576,7 +591,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. +This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. @@ -585,12 +600,7 @@ If you enable this policy setting, the list of DNS servers is applied to all net If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -609,28 +619,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -647,7 +663,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. @@ -657,12 +673,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -682,28 +692,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -720,7 +736,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. +This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. @@ -733,12 +749,7 @@ You can use this policy setting to prevent users, including local administrators If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -757,28 +768,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -795,7 +812,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. +This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. @@ -807,12 +824,7 @@ Important: This policy setting is ignored on a DNS client computer if dynamic DN If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -831,28 +843,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -869,7 +887,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records. +This policy setting specifies if DNS client computers will register PTR resource records. By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. @@ -883,12 +901,7 @@ To use this policy setting, click Enabled, and then select one of the following If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -907,28 +920,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -945,19 +964,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. +This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -976,28 +990,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1014,7 +1034,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. +This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. @@ -1025,12 +1045,7 @@ If you enable this policy setting or if you do not configure this policy setting If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1049,28 +1064,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1087,7 +1108,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. +This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. @@ -1101,12 +1122,7 @@ If you enable this policy setting, registration refresh interval that you specif If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1125,28 +1141,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1163,7 +1185,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. +This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). @@ -1172,12 +1194,7 @@ If you enable this policy setting, the TTL value that you specify will be applie If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1196,28 +1213,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1234,7 +1257,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. +This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." @@ -1247,12 +1270,7 @@ If you enable this policy setting, one DNS suffix is attached at a time for each If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1272,28 +1290,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1310,19 +1334,14 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. +This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1341,28 +1360,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1379,7 +1404,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). +This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. @@ -1389,12 +1414,6 @@ If you disable this policy setting, or if you do not configure this policy setti > This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1413,28 +1432,33 @@ ADMX Info: - - + + + - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross mark
NoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1451,7 +1475,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates. +This policy setting specifies the security level for dynamic DNS updates. To use this policy setting, click Enabled and then select one of the following values: @@ -1464,12 +1488,7 @@ If you enable this policy setting, computers that attempt to send dynamic DNS up If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1488,28 +1507,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1526,7 +1551,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." +This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. @@ -1535,12 +1560,7 @@ If you enable this policy setting, computers send dynamic updates to any zone th If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1559,28 +1579,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1597,7 +1623,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. +This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. @@ -1622,12 +1648,7 @@ If you enable this policy setting, or if you do not configure this policy settin If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1646,28 +1667,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -1684,7 +1711,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. +This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. @@ -1693,12 +1720,7 @@ If you enable this policy setting, LLMNR will be disabled on all available netwo If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -1710,7 +1732,5 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index ad2161edfc..b8fc8128ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_DWM -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -51,28 +56,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -89,7 +100,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -99,12 +110,6 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -124,28 +129,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -162,7 +173,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color. +This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. @@ -172,12 +183,7 @@ If you disable or do not configure this policy setting, the default internal col > This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -196,28 +202,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -234,7 +246,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -243,12 +255,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -267,28 +274,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -305,7 +317,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. @@ -314,12 +326,7 @@ If you disable or do not configure this policy setting, window animations are tu Changing this policy setting requires a logoff for it to be applied. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -338,28 +345,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -376,7 +389,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -386,12 +399,7 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -410,28 +418,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -448,7 +462,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames. +This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. @@ -458,12 +472,6 @@ If you disable or do not configure this policy setting, you allow users to chang > This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -476,7 +484,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 454bd47f86..f339803e93 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EAIME -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -69,29 +74,33 @@ manager: dansimp - - + + + - + + - + + - - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -107,7 +116,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. +This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. @@ -119,12 +128,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -143,28 +147,33 @@ ADMX Info: - - + + + - + + - + + - - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross mark
NoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -181,7 +190,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. +This policy setting allows you to restrict character code range of conversion by setting character filter. If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: @@ -205,12 +214,7 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -229,28 +233,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -267,7 +277,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. +This policy setting allows you to turn off the ability to use a custom dictionary. If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. @@ -281,12 +291,7 @@ This policy setting is applied to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -305,28 +310,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -343,7 +354,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. +This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. @@ -355,12 +366,6 @@ This policy setting applies to Japanese Microsoft IME only. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -379,28 +384,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -417,7 +428,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. +This policy setting allows you to turn off Internet search integration. Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. @@ -431,12 +442,7 @@ This policy setting applies to Japanese Microsoft IME. > Changes to this setting will not take effect until the user logs off. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -455,28 +461,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -493,7 +505,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. +This policy setting allows you to turn off Open Extended Dictionary. If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. @@ -504,12 +516,7 @@ If you disable or do not configure this policy setting, Open Extended Dictionary This policy setting is applied to Japanese Microsoft IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -528,28 +535,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -566,7 +579,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. +This policy setting allows you to turn off saving the auto-tuning result to file. If you enable this policy setting, the auto-tuning data is not saved to file. @@ -575,12 +588,7 @@ If you disable or do not configure this policy setting, auto-tuning data is save This policy setting applies to Japanese Microsoft IME only. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -599,28 +607,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -637,7 +651,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -648,12 +662,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -672,28 +681,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -710,7 +725,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. +This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -721,12 +736,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -745,28 +755,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -783,7 +799,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. +This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. @@ -794,12 +810,7 @@ If you don't configure this policy setting, it will be turned on by default, and This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -818,28 +829,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -856,7 +873,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. +This policy setting controls the live sticker feature, which uses an online service to provide stickers online. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. @@ -867,12 +884,7 @@ If you don't configure this policy setting, it will be turned off by default, an This Policy setting applies only to Microsoft CHS Pinyin IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -891,28 +903,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -929,7 +947,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. +This policy setting allows you to turn on logging of misconversion for the misconversion report. If you enable this policy setting, misconversion logging is turned on. @@ -938,12 +956,7 @@ If you disable or do not configure this policy setting, misconversion logging is This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -956,7 +969,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index d5cdf442da..c302a45683 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EncryptFilesonMove -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,28 +41,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -74,7 +85,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. +This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. @@ -83,12 +94,7 @@ If you disable or do not configure this policy setting, File Explorer automatica This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -101,8 +107,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index a77d1438d2..2d325be21b 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -13,8 +13,13 @@ manager: dansimp --- # Policy CSP - ADMX_EnhancedStorage -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -51,28 +56,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -89,19 +100,13 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. +This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -120,28 +125,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -158,19 +169,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. +This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -189,28 +194,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -227,19 +238,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. +This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -258,28 +263,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -296,19 +307,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. +This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -327,28 +332,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -365,7 +376,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. +This policy setting locks Enhanced Storage devices when the computer is locked. This policy setting is supported in Windows Server SKUs only. @@ -374,12 +385,6 @@ If you enable this policy setting, the Enhanced Storage device remains locked wh If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -398,28 +403,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -436,19 +447,13 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. +This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -461,8 +466,5 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. - diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md new file mode 100644 index 0000000000..f1161f6d53 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_Radar +description: Policy CSP - ADMX_Radar +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Radar + +
+ + +## ADMX_Radar policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_Radar/WdiScenarioExecutionPolicy +
+
+ + +
+ + +**ADMX_Radar/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution. + +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. + +These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scenario Execution Level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution* +- GP ADMX file name: *Radar.admx* + +
+ + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md new file mode 100644 index 0000000000..f19401826c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_sdiagschd +description: Policy CSP - ADMX_sdiagschd +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_sdiagschd + +
+ + +## ADMX_sdiagschd policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +
+
+ + +
+ + +**ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems. + +- If you enable this policy setting, you must choose an execution level. + +If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. +If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. + +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. + +If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + + + + +ADMX Info: +- GP Friendly name: *Configure Scheduled Maintenance Behavior* +- GP name: *ScheduledDiagnosticsExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance* +- GP ADMX file name: *sdiagschd.admx* + + + +
+ + + + diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md new file mode 100644 index 0000000000..2bdd21ec6f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -0,0 +1,341 @@ +--- +title: Policy CSP - ADMX_ServerManager +description: Policy CSP - ADMX_ServerManager +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/18/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ServerManager + +
+ + +## ADMX_ServerManager policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +
+
+ ADMX_ServerManager/ServerManagerAutoRefreshRate +
+
+ ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +
+
+ ADMX_ServerManager/DoNotLaunchServerManager +
+
+ + +
+ + +**ADMX_ServerManager/Do_not_display_Manage_Your_Server_page** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of Server Manager at logon. + +- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. + +- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. + +If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon. + +> [!NOTE] +> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Server Manager automatically at logon* +- GP name: *Do_not_display_Manage_Your_Server_page* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + + +**ADMX_ServerManager/ServerManagerAutoRefreshRate** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. + +- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. + +- If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. + +> [!NOTE] +> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. + + + + + + +ADMX Info: +- GP Friendly name: *Configure the refresh interval for Server Manager* +- GP name: *ServerManagerAutoRefreshRate* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + +**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2. + +- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. + +- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. + +If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon* +- GP name: *DoNotLaunchInitialConfigurationTasks* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + +
+ + +**ADMX_ServerManager/DoNotLaunchServerManager** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to turn off the automatic display of the Manage Your Server page. + +- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. + +- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. + +However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. + + + + + +ADMX Info: +- GP Friendly name: *Do not display Manage Your Server page at logon* +- GP name: *DoNotLaunchServerManager* +- GP path: *System\Server Manager* +- GP ADMX file name: *ServerManager.admx* + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md new file mode 100644 index 0000000000..8e63a59f12 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -0,0 +1,181 @@ +--- +title: Policy CSP - ADMX_SoundRec +description: Policy CSP - ADMX_SoundRec +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SoundRec + +
+ + +## ADMX_SoundRec policies + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +
+
+ ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +
+
+ + +
+ + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_1* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + + +**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. + +If you enable this policy setting, Sound Recorder will not run. + +If you disable or do not configure this policy setting, Sound Recorder can be run. + + + + +ADMX Info: +- GP Friendly name: *Do not allow Sound Recorder to run* +- GP name: *Soundrec_DiableApplication_TitleText_2* +- GP path: *Windows Components\Sound Recorder* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index ae3f3a712b..2ad51bd5de 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -563,8 +563,6 @@ items: href: policy-csp-admx-printing2.md - name: ADMX_Programs href: policy-csp-admx-programs.md - - name: ADMX_PushToInstall - href: policy-csp-admx-pushtoinstall.md - name: ADMX_Reliability href: policy-csp-admx-reliability.md - name: ADMX_RemoteAssistance @@ -577,10 +575,14 @@ items: href: policy-csp-admx-scripts.md - name: ADMX_sdiageng href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md - name: ADMX_Securitycenter href: policy-csp-admx-securitycenter.md - name: ADMX_Sensors href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md - name: ADMX_Servicing href: policy-csp-admx-servicing.md - name: ADMX_SettingSync @@ -597,6 +599,8 @@ items: href: policy-csp-admx-smartcard.md - name: ADMX_Snmp href: policy-csp-admx-snmp.md + - name: ADMX_SoundRec + href: policy-csp-admx-soundrec.md - name: ADMX_StartMenu href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 18817d1d38..cdcc9f1abd 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -134,13 +134,13 @@ href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - name: Subscription Activation items: - - name: Windows 10 Subscription Activation + - name: Windows 10/11 Subscription Activation href: windows-10-subscription-activation.md - - name: Windows 10 Enterprise E3 in CSP + - name: Windows 10/11 Enterprise E3 in CSP href: windows-10-enterprise-e3-overview.md - name: Configure VDA for Subscription Activation href: vda-subscription-activation.md - - name: Deploy Windows 10 Enterprise licenses + - name: Deploy Windows 10/11 Enterprise licenses href: deploy-enterprise-licenses.md - name: Deploy Windows 10 updates items: diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 1101efd400..9b4d7283c3 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,10 +1,10 @@ --- -title: Deploy Windows 10 Enterprise licenses +title: Deploy Windows 10/11 Enterprise licenses ms.reviewer: manager: laurawi ms.audience: itpro ms.author: greglin -description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP +description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy @@ -16,18 +16,18 @@ author: greg-lindsay ms.topic: article --- -# Deploy Windows 10 Enterprise licenses +# Deploy Windows 10/11 Enterprise licenses -This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). +This topic describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md) or [Windows 10/11 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). ->[!NOTE] ->* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. ->* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. ->* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ->* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing. +> [!NOTE] +> * Windows 10/11 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. Windows 11 is considered "later" in this context. +> * Windows 10/11 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +> * Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. +> * Windows 10/11 Enterprise Subscription Activation requires Windows 10/11 Enterprise per user licensing; it does not work on per device based licensing. ->[!IMPORTANT] ->An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> [!IMPORTANT] +> An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. > >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". @@ -50,24 +50,17 @@ If you are an EA customer with an existing Office 365 tenant, use the following - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. - -1. The admin can now assign subscription licenses to users. +2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +3. The admin can now assign subscription licenses to users. Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - 2. Click **Subscriptions**. - 3. Click **Online Services Agreement List**. - 4. Enter your agreement number, and then click **Search**. - 5. Click the **Service Name**. - 6. In the **Subscription Contact** section, click the name listed under **Last Name**. - 7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. Also in this article: @@ -76,9 +69,9 @@ Also in this article: ## Active Directory synchronization with Azure AD -You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. +You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10/11 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10/11 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -91,16 +84,16 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) ->[!NOTE] ->If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. +> [!NOTE] +> If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users -Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: +Upon acquisition of Windows 10/11 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: > [!div class="mx-imgBorder"] > ![profile.](images/al01.png) @@ -121,11 +114,11 @@ The following methods are available to assign licenses: ## Explore the upgrade experience -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? +Now that your subscription has been established and Windows 10/11 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10/11 Enterprise. What will the users experience? How will they upgrade their devices? -### Step 1: Join Windows 10 Pro devices to Azure AD +### Step 1: Join Windows 10/11 Pro devices to Azure AD -Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703. +Users can join a Windows 10/11 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703 or later. **To join a device to Azure AD the first time the device is started** @@ -176,16 +169,15 @@ Now the device is Azure AD–joined to the company's subscription. ### Step 2: Pro edition activation ->[!IMPORTANT] ->If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. ->If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. +> [!IMPORTANT] +> If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. +> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
Windows 10 Pro activated
Figure 7a - Windows 10 Pro activation in Settings -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - +Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). ### Step 3: Sign in using Azure AD account @@ -197,35 +189,33 @@ Once the device is joined to your Azure AD subscription, the user will sign in b ### Step 4: Verify that Enterprise edition is enabled -You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**. +You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
Windows 10 activated and subscription active **Figure 9 - Windows 10 Enterprise subscription in Settings** +If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. -If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - ->[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: ->Name: Windows(R), Professional edition ->Description: Windows(R) Operating System, RETAIL channel ->Partial Product Key: 3V66T +> [!NOTE] +> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +> Name: Windows(R), Professional edition +> Description: Windows(R) Operating System, RETAIL channel +> Partial Product Key: 3V66T ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md). ## Troubleshoot the user experience -In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: +In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: - The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. - -- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. +- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md index 4336f3ab23..8a493889bd 100644 --- a/windows/deployment/update/delivery-optimization-workflow.md +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -40,5 +40,5 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r | kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping Id
**CacheHost**: Cache host id | | cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id
**CacheHost**: Cache host id | | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionId**: Client partitioning hint
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id | -| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identified of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identity of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | | dl.delivery.mp.microsoft.com
emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 25ae02c985..a7081e65f1 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,7 +1,7 @@ --- -title: Configure VDA for Windows 10 Subscription Activation +title: Configure VDA for Windows 10/11 Subscription Activation ms.reviewer: -manager: laurawi +manager: dougeby ms.audience: itpro ms.author: greglin author: greg-lindsay @@ -18,9 +18,13 @@ ms.topic: article ms.collection: M365-modern-desktop --- -# Configure VDA for Windows 10 Subscription Activation +# Configure VDA for Windows 10/11 Subscription Activation -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. +Applies to: +- Windows 10 +- Windows 11 + +This document describes how to configure virtual machines (VMs) to enable [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. Deployment instructions are provided for the following scenarios: 1. [Active Directory-joined VMs](#active-directory-joined-vms) @@ -29,31 +33,31 @@ Deployment instructions are provided for the following scenarios: ## Requirements -- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. +- VMs must be running Windows 10 Pro, version 1703 or later. Windows 11 is "later" in this context. - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. -- VMs must be generation 1. -- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). +- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). + - For more information, see [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). ## Activation ### Scenario 1 -- The VM is running Windows 10, version 1803 or later. -- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). +- The VM is running Windows 10, version 1803 or later (ex: Windows 11). +- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH). - When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. + When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. ### Scenario 2 - The Hyper-V host and the VM are both running Windows 10, version 1803 or later. - [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. + [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10/11 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. ### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. +- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) partner. - In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). + In this scenario, the underlying Windows 10/11 Pro license must be activated prior to Subscription Activation of Windows 10/11 Enterprise. Activation is accomplished using a Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). For examples of activation issues, see [Troubleshoot the user experience](./deploy-enterprise-licenses.md#troubleshoot-the-user-experience). @@ -147,6 +151,6 @@ To create custom RDP settings for Azure: ## Related topics -[Windows 10 Subscription Activation](windows-10-subscription-activation.md) +[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) \ No newline at end of file diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 33fe4e9e80..a4d743c9db 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -1,15 +1,15 @@ --- -title: Windows 10 Enterprise E3 in CSP -description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +title: Windows 10/11 Enterprise E3 in CSP +description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -ms.date: 08/24/2017 +ms.date: 09/28/2021 ms.reviewer: -manager: laurawi +manager: dougeby ms.audience: itpro author: greg-lindsay audience: itpro @@ -17,51 +17,51 @@ ms.collection: M365-modern-desktop ms.topic: article --- -# Windows 10 Enterprise E3 in CSP +# Windows 10/11 Enterprise E3 in CSP -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: +Applies to: +- Windows 10 +- Windows 11 -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. + +Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: + +- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. - Azure Active Directory (Azure AD) available for identity management -Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. +You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before — with no keys, and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. -Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features. -When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: - -- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). - -- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. +When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits: +- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. - **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. - -- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). - -- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. - +- **Roll back to Windows 10/11 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). +- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. - **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. -How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? +How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. - - [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. - In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. -In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. +In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11. ## Compare Windows 10 Pro and Enterprise editions +> [!NOTE] +> The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available. + Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. *Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* @@ -140,19 +140,19 @@ Windows 10 Enterprise edition has a number of features that are unavailable in -## Deployment of Windows 10 Enterprise E3 licenses +## Deployment of Windows 10/11 Enterprise E3 licenses See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). -## Deploy Windows 10 Enterprise features +## Deploy Windows 10/11 Enterprise features -Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? +Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? -The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. +The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features. ### Credential Guard\* -You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: +You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: - **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. @@ -174,7 +174,7 @@ For more information about implementing Credential Guard, see the following reso ### Device Guard -Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: +Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: 1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. @@ -197,7 +197,7 @@ For more information about implementing Device Guard, see: ### AppLocker management -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10/11 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide). @@ -209,7 +209,7 @@ App-V requires an App-V server infrastructure to support App-V clients. The prim - **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: @@ -253,7 +253,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f ## Related topics -[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md) -
[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan) -
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare) -
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx) \ No newline at end of file +[Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 16e8c70c2a..4d6d62258a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,6 +1,6 @@ --- -title: Windows 10 Subscription Activation -description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions. +title: Windows 10/11 Subscription Activation +description: In this article, you will learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions. keywords: upgrade, update, task sequence, deploy ms.custom: seo-marvel-apr2020 ms.prod: w10 @@ -10,52 +10,60 @@ ms.sitesec: library ms.pagetype: mdt audience: itpro author: greg-lindsay -manager: laurawi +manager: dougeby ms.collection: M365-modern-desktop search.appverid: - MET150 ms.topic: article --- -# Windows 10 Subscription Activation +# Windows 10/11 Subscription Activation -Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. +Applies to: +- Windows 10 +- Windows 11 -With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**. +Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. -The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. +With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. -## Subscription Activation for Windows 10 Enterprise +The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. -With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots. +See the following topics: + +- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise. +- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education. +- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. +- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model. +- [Benefits](#benefits): Advantages of subscription-based licensing. +- [How it works](#how-it-works): A summary of the subscription-based licensing option. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows 10 Subscription Activation for VMs in the cloud. + +For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). + +## Subscription Activation for Windows 10/11 Enterprise + +With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: - -- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. -- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. +- Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. +- Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). -## Subscription Activation for Windows 10 Education +> [!NOTE] +> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. You cannot use Subscription Activation to upgrade from Windows 10 to Windows 11. -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. +## Subscription Activation for Education -## Summary - -- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. -- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. -- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. -- [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. - -For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. ## Inherited Activation -Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. +Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. -When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. +When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V. @@ -63,43 +71,35 @@ To support Inherited Activation, both the host computer and the VM must be runni > The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus). -The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. - -![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png) +The following list illustrates how deploying Windows client has evolved with each release: - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
- - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
- - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
- - **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
- - **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
- - **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
- - **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
- - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. +- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation does not update a device from Windows 10 to Windows 11. Only the edition is updated. ## Requirements -### Windows 10 Enterprise requirements +### Windows 10/11 Enterprise requirements > [!NOTE] -> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). -> [!NOTE] +> [!IMPORTANT] > Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. +- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context. - Azure Active Directory (Azure AD) available for identity management. - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. -For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). +For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) @@ -123,14 +123,11 @@ If the device is running Windows 10, version 1809 or later: ![Subscription Activation with MFA example 3.](images/sa-mfa3.png) -### Windows 10 Education requirements +### Windows 10/11 Education requirements - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. - - A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. - - The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. - - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. > [!IMPORTANT] @@ -139,7 +136,7 @@ If the device is running Windows 10, version 1809 or later: ## Benefits -With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: +With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: - [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) - [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) @@ -158,6 +155,9 @@ You can benefit by moving to Windows as an online service in the following ways: ## How it works +> [!NOTE] +> The following Windows 10 examples and scenarios also apply to Windows 11. + The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. @@ -214,8 +214,8 @@ If you’re running Windows 7, it can be more work.  A wipe-and-load approach w The following policies apply to acquisition and renewal of licenses on devices: - Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education. +- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. +- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. @@ -224,7 +224,7 @@ When you have the required Azure AD subscription, group-based licensing is the p ### Existing Enterprise deployments -If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. +If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. > [!CAUTION] > Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). @@ -273,7 +273,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ccb1a890ff..fba0adf89f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -80,7 +80,9 @@ To include the on-premises distinguished name in the certificate's subject, Azur Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. 1. Open **Synchronization Services** from the **Azure AD Connect** folder. + 2. In the **Synchronization Service Manager**, click **Help** and then click **About**. + 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized @@ -88,9 +90,13 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ + 2. Click **Login** and provide Azure credentials + 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** + 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. + ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) ## Prepare the Network Device Enrollment Services (NDES) Service Account @@ -102,9 +108,13 @@ The deployment uses the **NDES Servers** security group to assign the NDES servi Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. + 2. Expand the domain node from the navigation pane. + 3. Right-click the **Users** container. Hover over **New** and click **Group**. + 4. Type **NDES Servers** in the **Group Name** text box. + 5. Click **OK**. ### Add the NDES server to the NDES Servers global security group @@ -112,8 +122,11 @@ Sign-in to a domain controller or management workstation with access equivalent Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. + 2. Expand the domain node from the navigation pane. -3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. + +3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group**. + 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] @@ -126,8 +139,11 @@ The Network Device Enrollment Services (NDES) role runs under a service account. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. In the navigation pane, expand the node that has your domain name. Select **Users**. + 2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**. + 3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**. + 4. Click **Finish**. > [!IMPORTANT] @@ -140,15 +156,25 @@ The Group Policy object ensures the NDES Service account has the proper user rig Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Right-click **Group Policy object** and select **New**. + 4. Type **NDES Service Rights** in the name box and click **OK**. + 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**. + 6. In the navigation pane, expand **Policies** under **Computer Configuration**. + 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**. + 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. + 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. + 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. + 11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object @@ -158,10 +184,15 @@ The best way to deploy the **NDES Service User Rights** Group Policy object is t Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Double-click the **NDES Service User Rights** Group Policy object. + 4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**. + 5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. + 6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. ### Deploy the NDES Service User Rights Group Policy object @@ -171,7 +202,9 @@ The application of the **NDES Service User Rights** Group Policy object uses sec Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** + 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. > [!IMPORTANT] @@ -197,7 +230,7 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad 1. Open an elevated command prompt and type the following command: - ``` + ```console certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` @@ -210,18 +243,26 @@ NDES uses a server authentication certificate to authenticate the server endpoin Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**. + 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. 5. On the **Subject** tab, select **Supply in the request**. + 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. + 7. On the **Security** tab, click **Add**. + 8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. + 9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. + 10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template @@ -231,20 +272,30 @@ During Windows Hello for Business provisioning, Windows requests an authenticat Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. > [!NOTE] > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. + 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. + 8. On the **Subject** tab, select **Supply in the request**. + 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. + 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. + 11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. + 12. Close the console. ### Publish certificate templates @@ -257,10 +308,15 @@ The certificate authority may only issue certificates for certificate templates Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. + 5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. + 6. Close the console. ## Install and Configure the NDES Role @@ -282,18 +338,31 @@ Install the Network Device Enrollment Service role on a computer other than the Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open **Server Manager** on the NDES server. + 2. Click **Manage**. Click **Add Roles and Features**. + 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. + ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png) + 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. + ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png) + Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. - ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png) + + ![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png) + 5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. + ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png) + 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**. + ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png) + 7. Click **Next** on the **Web Server Role (IIS)** page. + 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. - **Web Server > Security > Request Filtering** @@ -303,10 +372,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png) + 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. + > [!IMPORTANT] > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ - ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png) + + ![.NET Side by Side.](images/aadjcert/dotnet35sidebyside.png) ### Configure the NDES service account @@ -317,8 +389,11 @@ This task adds the NDES service account to the local IIS_USRS group. The task a Sign-in the NDES server with access equivalent to _local administrator_. 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). + 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group. + 3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box. + 4. Close the management console. #### Register a Service Principal Name on the NDES Service account @@ -326,13 +401,16 @@ Sign-in the NDES server with access equivalent to _local administrator_. Sign-in the NDES server with access equivalent to _Domain Admins_. 1. Open an elevated command prompt. + 2. Type the following command to register the service principal name - ``` + ```console setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] ``` + where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: - ``` + + ```console setspn -s http/ndes.corp.contoso.com contoso\ndessvc ``` @@ -348,17 +426,29 @@ The NDES service enrolls certificates on behalf of users. Therefore, you want t Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** + 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. + ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png) + 3. Select **Trust this user for delegation to specified services only**. + 4. Select **Use any authentication protocol**. + 5. Click **Add**. + 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**. + ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) + 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. + 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. + 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. + ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -375,18 +465,31 @@ Sign-in to the certificate authority or management workstations with an _Enterpr ![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. + 2. On the **Credentials** page, click **Next**. + ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png) + 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** + ![NDES Role Services.](images/aadjcert/ndesconfig02.png) + 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. + ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png) + 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. + ![NDES CA selection.](images/aadjcert/ndesconfig04.png) + 6. On the **RA Information**, click **Next**. + 7. On the **Cryptography for NDES** page, click **Next**. + 8. Review the **Confirmation** page. Click **Configure**. + ![NDES Confirmation.](images/aadjcert/ndesconfig05.png) + 9. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES @@ -412,18 +515,23 @@ If the need arises, you can configure a signature certificate in the encryption Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. + 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. + 3. Type the following command: - ``` + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] ``` + where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: - ``` + + ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication ``` 4. Type **Y** when the command asks for permission to overwrite the existing value. + 5. Close the command prompt. > [!IMPORTANT] @@ -444,21 +552,34 @@ Connector group automatically round-robin, load balance the Azure AD Application Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + 4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain. + ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) + 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. + > [!IMPORTANT] > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. + 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. + ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png) + 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. + ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png) + 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. + ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png) + 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group @@ -466,12 +587,19 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. + ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. + 6. Click **Save**. #### Create the Azure Application Proxy @@ -479,17 +607,29 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Under **MANAGE**, click **Application proxy**. + 4. Click **Configure an app**. + 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. + 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. + 7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). + ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png) + 8. Select **Passthrough** from the **Pre Authentication** list. + 9. Select **NDES WHFB Connectors** from the **Connector Group** list. + 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. + 11. Click **Add**. + 12. Sign-out of the Azure Portal. > [!IMPORTANT] @@ -502,16 +642,27 @@ This task enrolls a client and server authentication certificate used by the Int Sign-in the NDES server with access equivalent to _local administrators_. 1. Start the Local Computer **Certificate Manager** (certlm.msc). + 2. Expand the **Personal** node in the navigation pane. + 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. + 4. Click **Next** on the **Before You Begin** page. + 5. Click **Next** on the **Select Certificate Enrollment Policy** page. + 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. + 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) + 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. + 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. + 10. Click **Enroll** + 11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. ### Configure the Web Server Role @@ -521,15 +672,25 @@ This task configures the Web Server role on the NDES server to use the server au Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. + 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) -3. Click **Bindings...*** under **Actions**. Click **Add**. + +3. Click **Bindings...** under **Actions**. Click **Add**. + ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png) + 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. + 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. + ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png) + 6. Select **http** from the **Site Bindings** list. Click **Remove**. + 7. Click **Close** on the **Site Bindings** dialog box. + 8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration @@ -541,18 +702,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Disable Internet Explorer Enhanced Security Configuration 1. Open **Server Manager**. Click **Local Server** from the navigation pane. + 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. + 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. + 4. Close **Server Manager**. #### Test the NDES web server 1. Open **Internet Explorer**. + 2. In the navigation bar, type - ``` + ```https https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source. @@ -560,6 +726,7 @@ A web page similar to the following should appear in your web browser. If you d ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png) Confirm the web site uses the server authentication certificate. + ![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune @@ -575,23 +742,34 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure the Default Web Site 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. + 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. + ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png) + 4. Select **Allow unlisted file name extensions**. + 5. Select **Allow unlisted verbs**. + 6. Select **Allow high-bit characters**. + 7. Type **30000000** in **Maximum allowed content length (Bytes)**. + 8. Type **65534** in **Maximum URL length (Bytes)**. + 9. Type **65534** in **Maximum query string (Bytes)**. + 10. Click **OK**. Close **Internet Information Services (IIS) Manager**. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. + 2. Run the following commands: - ``` + ```console reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 ``` @@ -607,10 +785,15 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. + 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. + ![Intune Certificate Authority.](images/aadjcert/profile01.png) + 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. + 5. Sign-out of the Microsoft Endpoint Manager admin center. ### Install the Intune Certificate Connector @@ -618,27 +801,39 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. + 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. + 3. On the **Microsoft Intune** page, click **Next**. + ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png) + 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. + 5. On the **Destination Folder** page, click **Next**. + 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. + ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png) + 7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. + ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png) > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. + 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. + ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png) > [!NOTE] > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. + ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector @@ -651,9 +846,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_. > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply** + ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png) 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. + ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png) > [!IMPORTANT] @@ -671,9 +868,13 @@ Optionally (not required), you can configure the Intune connector for certificat Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. 1. Start the **Certification Authority** management console. + 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. + 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. + ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png) + 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation @@ -681,8 +882,11 @@ Sign-in the certificate authority used by the NDES Connector with access equival Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). + 2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. + ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png) + 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector @@ -690,23 +894,28 @@ Sign-in the NDES server with access equivalent to _domain administrator_. Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. + 2. Type the following command to confirm the NDES Connector's last connection time is current. - ``` + ```console reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus ``` 3. Close the command prompt. + 4. Open **Internet Explorer**. + 5. In the navigation bar, type: - ``` + ```console https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. + ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png) + 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -716,14 +925,23 @@ Sign-in the NDES server with access equivalent to _domain admin_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. + 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. + 3. Click **Groups**. Click **New group**. + 4. Select **Security** from the **Group type** list. + 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. + 6. Provide a **Group description**, if applicable. + 7. Select **Assigned** from the **Membership type** list. + ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png) + 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. + 9. Click **Create**. ### Create a SCEP Certificate Profile @@ -731,20 +949,30 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Devices**, and then click **Configuration Profiles**. + 3. Select **Create Profile**. + ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png) + 4. Select **Windows 10 and later** from the **Platform** list. + 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**. + 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. + 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**. + 8. Select **User** as a certificate type. + 9. Configure **Certificate validity period** to match your organization. > [!IMPORTANT] > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. + 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. > [!NOTE] @@ -752,13 +980,21 @@ Sign-in a workstation with access equivalent to a _domain user_. > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. + 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. + 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. + 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. + 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. + ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png) + 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. + 18. Click **Next**. + 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**. ### Assign Group to the WHFB Certificate Enrollment Certificate Profile @@ -766,12 +1002,19 @@ Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + 2. Select **Devices**, and then click **Configuration Profiles**. + 3. Click **WHFB Certificate Enrollment**. + 4. Select **Properties**, and then click **Edit** next to the **Assignments** section. + 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. + ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png) + 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. + 7. Click **Review + Save**, and then **Save**. You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png rename to windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 34a70a7698..3c10de8372 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. -> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid. +> [!NOTE] +> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.   ### Default BCD validation profile @@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke ### Full list of friendly names for ignored BCD settings This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked. -> **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. + +> [!NOTE] +> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list. | Hex Value | Prefix | Friendly Name | | - | - | - | diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 5582a89d66..9a77ca4317 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us -

Name

-

Parameters

+

Name

+

Parameters

Add-BitLockerKeyProtector

@@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"} > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. -> -> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. + +> [!TIP] +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index fd212875f8..bc8488a920 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - +> > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index d58028caea..a4bc245136 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -64,7 +64,8 @@ manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` ->**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started. +> [!NOTE] +> After the encryption is completed, the USB startup key must be inserted before the operating system can be started. An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: @@ -102,7 +103,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS. ->**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. +> [!TIP] +> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: @@ -110,7 +112,8 @@ The Repair-bde command-line tool is intended for use when the operating system d - Windows does not start, or you cannot start the BitLocker recovery console. - You do not have a copy of the data that is contained on the encrypted drive. ->**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. +> [!NOTE] +> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. The following limitations exist for Repair-bde: @@ -130,8 +133,8 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work -

Name

-

Parameters

+

Name

+

Parameters

Add-BitLockerKeyProtector

@@ -251,10 +254,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. + A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet. + The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details. ->**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. +> [!TIP] +> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. `Get-BitLockerVolume C: | fl` If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. @@ -274,7 +280,8 @@ By using this information, you can then remove the key protector for a specific Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` ->**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. +> [!NOTE] +> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes @@ -302,11 +309,13 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` + ### Using an AD Account or Group protector in Windows PowerShell The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. ->**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes +> [!WARNING] +> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. @@ -316,13 +325,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: ->**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. +> [!NOTE] +> Use of this command requires the RSAT-AD-PowerShell feature. ```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` ->**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. +> [!TIP] +> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: @@ -330,7 +341,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` ->**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. +> [!NOTE] +> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. ## More information diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index f8dc37af5a..f2ed14e623 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects To resolve this issue, follow these steps: 1. Start Registry Editor, and navigate to the following subkey: + **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE** 1. Delete the following entries: @@ -55,9 +56,13 @@ To resolve this issue, follow these steps: You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps: 1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**. + 1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**. + 1. Follow the instructions on the page to enter your password. + 1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**. + 1. The **Starting encryption** page displays the message "Access is denied." You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive. @@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps: 1. At the command prompt, enter the following command: - ```cmd + ```console C:\>sc sdshow bdesvc ``` The output of this command resembles the following: - > D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) + > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)` 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows. @@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps: 1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command: - ```ps + ```powershell sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD) ``` diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index 6b1ee39717..4142982e69 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following: -``` +```console \# for hex 0xc0210000 / decimal -1071579136 ‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h ‎ \# This volume is locked by BitLocker Drive Encryption. @@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur The operation produces the following call stack: -``` +```console \# Child-SP RetAddr Call Site ‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\] ‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\] diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md index 276b174efd..9c0af342bc 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md @@ -55,7 +55,8 @@ To install the tool, follow these steps: To use TBSLogGenerator, follow these steps: -1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: +1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder: + **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** This folder contains the TBSLogGenerator.exe file. @@ -63,9 +64,11 @@ To use TBSLogGenerator, follow these steps: ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png) 1. Run the following command: - ```cmd + + ```console TBSLogGenerator.exe -LF \.log > \.txt ``` + where the variables represent the following values: - \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFileName*> = the name of the file to be decoded @@ -74,7 +77,7 @@ To use TBSLogGenerator, follow these steps: For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: - ```cmd + ```console TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt ``` @@ -84,12 +87,12 @@ To use TBSLogGenerator, follow these steps: ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png) -The content of this text file resembles the following. - -![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) - -To find the PCR information, go to the end of the file. - + The content of this text file resembles the following. + + ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png) + + To find the PCR information, go to the end of the file. + ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png) ## Use PCPTool to decode Measured Boot logs @@ -102,7 +105,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. To decode a log, run the following command: -```cmd + +```console PCPTool.exe decodelog \.log > \.xml ``` @@ -114,4 +118,4 @@ where the variables represent the following values: The content of the XML file resembles the following. -![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg) +:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg"::: diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 13b4676a20..44ad76e76b 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices. -![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png) +:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png"::: To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages: @@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: -``` +```console diskpart list volume ``` + ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). @@ -118,16 +119,17 @@ If the status of any of the volumes is not healthy or if the recovery partition To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command: -```cmd +```console reagentc /info ``` + The output of this command resembles the following. ![Output of the reagentc /info command.](./images/4509193-en-1.png) If the **Windows RE status** is not **Enabled**, run the following command to enable it: -```cmd +```console reagentc /enable ``` @@ -135,13 +137,13 @@ reagentc /enable If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: -```cmd +```console bcdedit /enum all ``` The output of this command resembles the following. -![Output of the bcdedit /enum all command.](./images/4509196-en-1.png) +:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png"::: In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros. @@ -162,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B To verify the BIOS mode, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**. + ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png) + 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. + > [!NOTE] > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. @@ -186,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -get %systemdrive% ``` @@ -203,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc To verify the Secure Boot state, use the System Information app. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. + 1. Verify that the **Secure Boot State** setting is **On**, as follows: + ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png) + 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device. + ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png) > [!NOTE] > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command: +> > ```ps > PS C:\> Confirm-SecureBootUEFI > ``` +> > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." > > If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index aa70c53412..110aad6465 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command: - ```cmd + ```console manage-bde -protectors -adbackup C: ``` @@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: -```cmd +```console Manage-bde -forcerecovery ``` @@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows. To resolve the restart loop, follow these steps: 1. On the BitLocker Recovery screen, select **Skip this drive**. + 1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**. -1. In the Command Prompt window, run the following commands : - ```cmd + +1. In the Command Prompt window, run the following commands: + + ```console manage-bde –unlock C: -rp <48-digit BitLocker recovery password> manage-bde -protectors -disable C: + ``` + 1. Close the Command Prompt window. + 1. Shut down the device. + 1. Start the device. Windows should start as usual. ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password @@ -115,7 +122,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On, To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: -```cmd +```console manage-bde.exe -protectors -get : ``` @@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if To do this, follow these steps: 1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help. + 1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive. + 1. Insert the USB Surface recovery image drive into the Surface device, and start the device. + 1. When you are prompted, select the following items: + 1. Your operating system language. + 1. Your keyboard layout. + 1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: - ```cmd + + ```console manage-bde -unlock -recoverypassword : manage-bde -protectors -disable : + ``` + In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + > [!NOTE] > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock). + 1. Restart the computer. + 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. > [!NOTE] @@ -155,11 +175,15 @@ To do this, follow these steps: To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps: 1. At the command prompt, run the following command: - ```cmd + + ```console manage-bde -unlock -recoverypassword : ``` + In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive. + 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive. + > [!NOTE] > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands). @@ -172,30 +196,42 @@ To prevent this issue from recurring, we strongly recommend that you restore t To enable Secure Boot on a Surface device, follow these steps: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` + In this command, <*DriveLetter*> is the letter that is assigned to your drive. + 1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**. + 1. Restart the device. + 1. Open an elevated PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" ``` To reset the PCR settings on the TPM, follow these steps: 1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies. + For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md). + 1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` where <*DriveLetter*> is the letter assigned to your drive. + 1. Run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" + ``` #### Step 4: Suspend BitLocker during TPM or UEFI firmware updates @@ -209,13 +245,19 @@ You can avoid this scenario when you install updates to system firmware or TPM f To suspend BitLocker while you install TPM or UEFI firmware updates: 1. Open an elevated Windows PowerShell window, and run the following cmdlet: - ```ps + + ```powershell Suspend-BitLocker -MountPoint ":" -RebootCount 0 + ``` + In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. + 1. Install the Surface device driver and firmware updates. + 1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet: - ```ps + + ```powershell Resume-BitLocker -MountPoint ":" ``` @@ -230,22 +272,31 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps: 1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on. + 1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password. + 1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**. + 1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**. + 1. In the Command Prompt window, run the following commands: - ```cmd + + ```console Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group> Manage-bde -protectors -disable c: exit ``` These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window. + > [!NOTE] > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment. + 1. Select **Continue**. Windows should start. + 1. After Windows has started, open an elevated Command Prompt window and run the following command: - ```cmd + + ```console Manage-bde -protectors -enable c: ``` @@ -254,7 +305,7 @@ If your device is already in this state, you can successfully start Windows afte To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command: -```cmd +```console Manage-bde -protectors -disable c: -rc 1 ``` diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index c0d45b5bad..a34c5d900d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 09/29/2021 + ms.date: 09/30/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -171,11 +171,6 @@ sections: 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - - question: | - Why can I not launch Application Guard when Exploit Guard is enabled? - answer: | - There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - - question: | How can I disable portions of ICS without breaking Application Guard? answer: |